Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Breaking change]: AuthenticateAsync for remote authentication providers no longer fails if anonymous #491

Open
1 of 3 tasks
Tratcher opened this issue Aug 18, 2022 · 0 comments
Labels
7.0.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs

Comments

@Tratcher
Copy link
Member

Description

RE: dotnet/aspnetcore#43042, dotnet/aspnetcore#43212

Remote authentication providers like OpenIdConnect, WsFederation, and OAuth have been updated to avoid unnecessary errors when there is no user information available on the request.

Version

.NET 7 RC1

Previous behavior

When AuthenticateAsync was called on a remote authentication provider and there was no current user, this call would fail with a message like OpenIdConnect was not authenticated. Failure message: Not authenticated.

New behavior

AuthenticateAsync will now return AuthenticateResult.NoResult(), an anonymous identity.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
  • Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

  • This was inconsistent with Cookie and Negotiate authentication which will return AuthenticateResult.NoResult().
  • It causes excess failure logs, especially if the remote authentication handler is set as the default handler and invoked per request.

Recommended action

Code that directly invokes AuthenticateAsync should be checked to ensure it properly handles AuthenticateResult.NoResult() and anonymous/empty ClaimsIdentity's.

Affected APIs

HttpContext.AuthenticateAsync

@ghost ghost locked as resolved and limited conversation to collaborators Aug 18, 2022
@gewarren gewarren added the Documented The breaking change has been published to the .NET Core docs label Sep 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
7.0.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs
Projects
None yet
Development

No branches or pull requests

2 participants