Open
Description
Description
RE: dotnet/aspnetcore#43042, dotnet/aspnetcore#43212
Remote authentication providers like OpenIdConnect, WsFederation, and OAuth have been updated to avoid unnecessary errors when there is no user information available on the request.
Version
.NET 7 RC1
Previous behavior
When AuthenticateAsync was called on a remote authentication provider and there was no current user, this call would fail with a message like OpenIdConnect was not authenticated. Failure message: Not authenticated.
New behavior
AuthenticateAsync will now return AuthenticateResult.NoResult(), an anonymous identity.
Type of breaking change
- Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
- Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
- Behavioral change: Existing code and binaries may experience different run-time behavior.
Reason for change
- This was inconsistent with Cookie and Negotiate authentication which will return
AuthenticateResult.NoResult(). - It causes excess failure logs, especially if the remote authentication handler is set as the default handler and invoked per request.
Recommended action
Code that directly invokes AuthenticateAsync should be checked to ensure it properly handles AuthenticateResult.NoResult() and anonymous/empty ClaimsIdentity's.
Affected APIs
HttpContext.AuthenticateAsync