Remote authentication always invoked with .NET 8, regardless of whether needed or not (as opposed to how it worked with .NET 6).

[lxs65]

The bug (or what supposedly is a bug)

Using remote authentication via a .NET Framework 4.7.2 ASP.NET WebForms application, whereby this application implements its "own" remote authentication handler, from within a .NET 6 application works just fine. That is, for every YARP-forwarded request no remote authentication takes place, but for all requests handled at the .NET 6 side and requiring authentication, the remote authentication mechanism correctly kicks in.

Changing the .NET 6 application into a .NET 8 application all of a sudden causes remote authentication to become active for every single request, regardless of any isDefaultScheme argument value passed onto .AddAuthenticationClient().

Of course, we may be doing something wrong, this only surfacing now that we are trying to use .NET 8. However, since all worked as anticipated with .NET 6 we feel we have run into an issue blocking us from moving to .NET 8 for our production environment.

Did try to dive into the system web adapters code, focusing on those parts marked with compiler switches, and also tried debugging, but all of this did not result into any (obvious) clue of what may be the cause of this.

To Reproduce

In RemoteAuthTrial three projects have been introduced showing the above.

The EOLSim project is a .NET Framework 4.7.2 WebForms project, based on the system web adapters provided example code. It however introduces its own RemoteAuthenticationHttpHandler. In all respects this pretty closely mimics how our legacy application offers support for remote authentication. The setup in global.asax seems pretty standard.

The EOLNet6 project is a .NET 6 Web application using controllers, again based on the system web adapters provided example code. The one major change to the example code is the indication of the use of a dedicated remote authentication endpoint.

    .AddAuthenticationClient(false, options =>
    {
        options.AuthenticationEndpointPath = "/handler/remoteAuth";
    });

As mentioned above, this works as anticipated, which can be seen by setting a breakpoint in the RemoteAuthenticationHttpHandler at the .NET Framework side. Also, setting a breakpoint on the above options.AuthenticationEndpointPath will show this is only hit when remote authentication is truly required.

The EOLNet8 project is really the same application as the .NET 6 application, but obviously this time applying .NET 8. Using the same breakpoints as mentioned before reveals the breakpoints are always hit for every request.

Obviously, this causes undesirable roundtrips.

Note the EOLNet6 and EOLNet8 applications are not exactly mimicking our migration work in that our real application directly uses YARP's IHttpForwarder type internally. However, configuration of the system web adapters is the same and also the observed behavior is identical.

Further technical details

All testing is done from within Visual Studio 2022 17.10.4, by means of setting up multiple startup applications/projects.

ASP.NET Framework Application:

• WebForms
• .NET Framework 4.7.2
• IIS Express
• Windows 11 Enterprise 23H2 22631.3880

ASP.NET Core Applications:

• .NET 6
• .NET 8
• .NET SDK 8.0.303

[lxs65]

It looks like we found the cause after all. It seems to be caused by a breaking change in ASP.NET Core. Adding AppContext.SetSwitch("Microsoft.AspNetCore.Authentication.SuppressAutoDefaultScheme", true); to the root of the .NET 8 application appears to bring back the same behavior as for the .NET 6 application.