Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Can't perform custom error handling using OpenIdConnect OnAuthenticationFailed event #884

Closed
dstrockis opened this issue Jun 15, 2016 · 10 comments
Closed

Can't perform custom error handling using OpenIdConnect OnAuthenticationFailed event #884

dstrockis opened this issue Jun 15, 2016 · 10 comments
Assignees
@Tratcher
Labels
3 - Done bug
Milestone
1.1.0

Comments

@dstrockis
Copy link

I couldn’t figure out how to get the OnAuthenticationFailed event to work how I wanted it to. My goal was to catch any exceptions that occurred during the auth pipeline & redirect to my own custom error page with information about the exception – the code is here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/blob/master/WebApp-OpenIDConnect-DotNet/Startup.cs#L78-83

When I call HandleResponse() in this event, the OIDC handler still tries to succeed the authentication flow, and subsequently throws an exception when it discovers the auth ticket is null (because some exception occurred during token validation). It succeeds because of the call on this line: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L637

I believe if the OnAuthenticationFailed event is invoked, the auth flow should not succeed.
@Tratcher Tratcher added the bug label Jun 15, 2016
@Tratcher
Copy link
Member

HandleResponse isn't working in OnAuthenticationFailed. Use OnRemoteFailure instead. I don't think we need OnAuthenticationFailed anymore, it seems redundant with OnRemoteFailure.

@Tratcher Tratcher self-assigned this Jun 15, 2016
@Tratcher
Copy link
Member

FYI: JwtBearer has a similar issue with OnAuthenticationFailed and I don't see an easy workaround there.

@Tratcher
Copy link
Member

@HaoK

@HaoK
Copy link
Member

HaoK commented Jun 15, 2016

Yeah we should just remove the OIDC specific OnAuthenticationFailed since we have OnRemoteFailure now...

@Eilon Eilon added this to the 1.0.1 milestone Jun 16, 2016
@Eilon
Copy link
Member

Eilon commented Jun 16, 2016

We should add the newer/better event to the JWT flavor as well.

@brentschmaltz
Copy link
Contributor

OnAuthenticationFailed was meant to indicate that we couldn't authenticate the user. I don't think OnRemoteFailure has the same semantic. This is also a change from Katana.

@Tratcher
Copy link
Member

The other event does not apply to JWTBearer, it's from the base class for the redirecting middleware.

@Tratcher
Copy link
Member

OnRemoteFailure has the same parameters and conditions and executes immediately after OnAuthenticationFailed. The only difference is the name.

@Tratcher
Copy link
Member

Since this was not removed for RTM, we'll have to keep it and see if there's some way to fix it.

@brentschmaltz
Copy link
Contributor

OnAuthenticationFailed makes sense for OIDC, but maybe not for JwtBearer as the webapi call is not technically about Authentication but Authorization.

@Eilon Eilon modified the milestones: 1.1.0-preview1, 1.1.0 Oct 6, 2016
Tratcher added a commit that referenced this issue Oct 17, 2016
@Tratcher
#884 Honor OIDC's OnAuthenticationFailed HandleResponse()
086e847
@Tratcher Tratcher mentioned this issue Oct 17, 2016
Merged
Tratcher added a commit that referenced this issue Oct 17, 2016
@Tratcher
#884 Honor OIDC's and Jwt's OnAuthenticationFailed HandleResponse()
0fc2d4c
Tratcher added a commit that referenced this issue Oct 31, 2016
@Tratcher
#884 Honor OIDC's and Jwt's OnAuthenticationFailed HandleResponse()
2d1c56c
@Tratcher Tratcher mentioned this issue Jun 16, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
3 - Done bug
Projects
None yet
Milestone
1.1.0
Development

No branches or pull requests
5 participants
@Eilon @Tratcher @dstrockis @brentschmaltz @HaoK