Improve error message for when AuthenticationScheme is not recognized

[XplMarcel]

If AutomaticAuthentication is disabled through:
services.ConfigureCookieAuthentication(c => c.AutomaticAuthentication = false);
requests to controllers with an Authorize attribute give a 500 Internal Server Error with the following error:

System.InvalidOperationException
The following authentication scheme was not accepted:

There is no authentication scheme at all.
It can be reproduced using the default asp.net 5 WebApplication template (with individual accounts).
Just browse directly to http://localhost:{port}/Manage

Any ideas ?

[dcarr42]

I have recognised this behaviour also.

[Tratcher]

By design. You must have an automatic auth middleware or your Authorize attribute must name specific auth middleware to use. Otherwise Authorize wouldn't have any effect.

[HaoK]

We could re-purpose this issue to be: experience (sucks)/errors are not clear when missing authentication handlers...

[XplMarcel]

I agree that automatic auth middleware should be in place, but in this case it was in place since i was using Identity, where app.UseIdentity() clearly adds CookieAuthentication.
So personally i think the problem occurs in Identity if AutomaticAuthentication is disabled.
I wanted to disable AutomaticAuthentication, because redirects are useless in a pure WebApi.
It can easily be solved using CookieAuthenticationNotifications, but i think a 500 internal server error shouldn't happen in the first place.

[Tratcher]

@HaoK is UseIdentity even relevant for a pure WebApi scenario?

[HaoK]

Not really, as all UseIdentity does is add a bunch of cookie middlewares. So if the cookies are not needed, best to just not call UseIdentity

[Eilon]

Though we're not planning to change the behavior, we will improve the error message experience.

@HaoK - you had mentioned there might be a dup in HttpAbstractions, so feel free to dup it against that.

[HaoK]

aspnet/HttpAbstractions#421