Can't perform custom error handling using OpenIdConnect OnAuthenticationFailed event

[dstrockis]

I couldn’t figure out how to get the OnAuthenticationFailed event to work how I wanted it to. My goal was to catch any exceptions that occurred during the auth pipeline & redirect to my own custom error page with information about the exception – the code is here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/blob/master/WebApp-OpenIDConnect-DotNet/Startup.cs#L78-83

When I call HandleResponse() in this event, the OIDC handler still tries to succeed the authentication flow, and subsequently throws an exception when it discovers the auth ticket is null (because some exception occurred during token validation). It succeeds because of the call on this line: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L637

I believe if the OnAuthenticationFailed event is invoked, the auth flow should not succeed.

[Tratcher]

HandleResponse isn't working in OnAuthenticationFailed. Use OnRemoteFailure instead. I don't think we need OnAuthenticationFailed anymore, it seems redundant with OnRemoteFailure.

[Tratcher]

FYI: JwtBearer has a similar issue with OnAuthenticationFailed and I don't see an easy workaround there.

[Tratcher]

@HaoK

[HaoK]

Yeah we should just remove the OIDC specific OnAuthenticationFailed since we have OnRemoteFailure now...

[Eilon]

We should add the newer/better event to the JWT flavor as well.

[brentschmaltz]

OnAuthenticationFailed was meant to indicate that we couldn't authenticate the user. I don't think OnRemoteFailure has the same semantic. This is also a change from Katana.

[Tratcher]

The other event does not apply to JWTBearer, it's from the base class for the redirecting middleware.

[Tratcher]

OnRemoteFailure has the same parameters and conditions and executes immediately after OnAuthenticationFailed. The only difference is the name.

[Tratcher]

Since this was not removed for RTM, we'll have to keep it and see if there's some way to fix it.

[brentschmaltz]

OnAuthenticationFailed makes sense for OIDC, but maybe not for JwtBearer as the webapi call is not technically about Authentication but Authorization.