Skip to content

Avoid failed authN log when the endpoint has IAllowAnonymous metadata #43212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Tratcher merged 2 commits into from
Aug 15, 2022
Merged

Avoid failed authN log when the endpoint has IAllowAnonymous metadata #43212

Tratcher merged 2 commits into from
Aug 15, 2022

Conversation

@Kahbazi
Copy link
Member

@Kahbazi Kahbazi commented Aug 11, 2022

Fixes #43042

@Kahbazi Kahbazi requested a review from Tratcher as a code owner August 11, 2022 06:02
@ghost ghost added area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer community-contribution Indicates that the PR has been added by a community member labels Aug 11, 2022
@ghost
Copy link

ghost commented Aug 11, 2022

Thanks for your PR, @Kahbazi. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

@Tratcher
Copy link
Member

Tratcher commented Aug 12, 2022
edited
Loading

@Kahbazi I tracked down the reason for the original log and I think we can prevent it without this new anonymous check.

The following should be changed from Fail to NoResult.

aspnetcore/src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs

Line 202 in 9eb6ad4

return AuthenticateResult.Fail("Not authenticated");

Can you try that?

Background:
OIDC is being set as the default scheme, rather than cookies. The auth middleware then runs Authenticate on OIDC every request. That delegates to Cookies, which returns no identity. OIDC's base class then returns a failure instead of NoResult.

@Tratcher Tratcher self-assigned this Aug 12, 2022
Tratcher
Tratcher requested changes Aug 12, 2022
View reviewed changes
Copy link
Member

@Tratcher Tratcher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my prior comment.

@HaoK
Copy link
Member

HaoK commented Aug 12, 2022

So isn't this a subtle breaking change/behavior change? Users are able to check the authenticate result directly, and now we would be returning NoResult instead of Fail... Arguably there's no difference, but it still seems a bit risky

@halter73 halter73 self-requested a review August 13, 2022 00:55
@Tratcher
Copy link
Member

Tratcher commented Aug 13, 2022

It is a minor behavior change, but I think it's a beneficial one. Auth didn't fail, there's just no user available. Also, I would not expect users to be directly saying Authenticate(OIDC), it would be Authenticate(Cookies) to get the current user and that doesn't go down this code path.

@davidfowl
Copy link
Member

davidfowl commented Aug 13, 2022

I agree with @Tratcher on the fix, this code shouldn't be checking for allow anonymous.

@davidfowl davidfowl added the breaking-change This issue / pr will introduce a breaking change, when resolved / merged. label Aug 14, 2022
@davidfowl
Copy link
Member

davidfowl commented Aug 14, 2022

I marked it as a breaking change. @Tratcher can you write up the breaking change after this PR gets merged?

@Tratcher Tratcher merged commit ac4bd5e into dotnet:main Aug 15, 2022
@ghost ghost added this to the 7.0-rc1 milestone Aug 15, 2022
@Kahbazi Kahbazi deleted the kahbazi/NoLogIfAnonymous branch August 16, 2022 05:05
@Tratcher Tratcher mentioned this pull request Aug 18, 2022
Open
3 tasks
@Tratcher
Copy link
Member

Tratcher commented Aug 18, 2022

Done: aspnet/Announcements#491

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tratcher Tratcher Tratcher approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

+1 more reviewer

@abuzaforfagun abuzaforfagun abuzaforfagun approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Tratcher Tratcher

Labels

area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer breaking-change This issue / pr will introduce a breaking change, when resolved / merged. community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

7.0-rc1

Development

Successfully merging this pull request may close these issues.

MapHealthChecks().AllowAnonymous() not working

6 participants

@Kahbazi @Tratcher @HaoK @davidfowl @halter73 @abuzaforfagun