"No authentication handlers are registered" but there is one

[jeffputz]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

The CI build of POP Forums seems to have an issue where over time, the registered auth handler becomes "deregistered" until I cycle the Azure App Service. I can't reproduce this in other instances I have running, but it happens frequently on this one. Everything runs as expected, until it doesn't.

The Program of the app calls an extension method which registers the auth:

		services.AddAuthentication()
			.AddCookie(PopForumsAuthorizationDefaults.AuthenticationScheme, option =>
			{
				option.ExpireTimeSpan = new TimeSpan(365, 0, 0, 0);
				option.LoginPath = "/Forums/Account/Login";
				// TODO: This is lame because of fx, see: https://github.com/dotnet/aspnetcore/issues/9039
				option.Events.OnRedirectToAccessDenied = context =>
				{
					context.Response.StatusCode = 403;
					return Task.CompletedTask;
				};
			});

Another extension method registers middleware...

app.UseMiddleware<PopForumsAuthorizationMiddleware>();

And here's the middleware. The exception is thrown on the context.AuthenticateAsync call:

	public async Task InvokeAsync(HttpContext context, IUserService userService, IProfileService profileService, ISetupService setupService, IConfig config, IOAuthOnlyService oAuthOnlyService)
	{
		var isSetupAndConnectionGood = setupService.IsRuntimeConnectionAndSetupGood();
		if (!isSetupAndConnectionGood)
		{
			await _next.Invoke(context);
			return;
		}
		var authResult = await context.AuthenticateAsync(PopForumsAuthorizationDefaults.AuthenticationScheme);
		if (authResult.Principal?.Identity is ClaimsIdentity identity)
		{
			var user = await userService.GetUserByName(identity.Name);
			if (user != null)
			{
				foreach (var role in user.Roles)
					identity.AddClaim(new Claim(PopForumsAuthorizationDefaults.ForumsClaimType, role));
				identity.AddClaim(new Claim(PopForumsAuthorizationDefaults.ForumsUserIDType, user.UserID.ToString()));
				context.Items["PopForumsUser"] = user;
				var profile = await profileService.GetProfile(user);
				context.Items["PopForumsProfile"] = profile;
				context.User = new ClaimsPrincipal(identity);
				if (config.IsOAuthOnly && user.TokenExpiration < DateTime.UtcNow)
				{
					var isSuccess = await oAuthOnlyService.AttemptTokenRefresh(user);
					if (!isSuccess)
						context.Response.Redirect("/Forums/Account/Login");
				}
			}
		}
		await _next.Invoke(context);
	}

Exception:

InvalidOperationException: No authentication handlers are registered. Did you forget to call AddAuthentication().AddSomeAuthHandler?

at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at PopForums.Mvc.Areas.Forums.Authorization.PopForumsAuthorizationMiddleware.InvokeAsync(HttpContext context, IUserService userService, IProfileService profileService, ISetupService setupService, IConfig config, IOAuthOnlyService oAuthOnlyService) in /home/vsts/work/1/s/src/PopForums.Mvc/Areas/Forums/Authorization/PopForumsAuthorizationMiddleware.cs:line 20
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

This code has been mostly unchanged going back to .NET v5. Again, when the app starts, everything is fine, but when I come back to it after a few days, it's returning 500's with the above exception and stack trace. I can't think of any reason that after the app is started, the auth scheme would no longer be in place.

Expected Behavior

The auth scheme is durably registered.

Steps To Reproduce

• Run the app in a Linux Azure App Service.
• Observe that it runs fine.
• Wait some amount of time.
• The above exceptions start happening.
• Restart the app service.
• Normal operation resumes.

Exceptions (if any)

InvalidOperationException: No authentication handlers are registered. Did you forget to call AddAuthentication().AddSomeAuthHandler?

at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at PopForums.Mvc.Areas.Forums.Authorization.PopForumsAuthorizationMiddleware.InvokeAsync(HttpContext context, IUserService userService, IProfileService profileService, ISetupService setupService, IConfig config, IOAuthOnlyService oAuthOnlyService) in /home/vsts/work/1/s/src/PopForums.Mvc/Areas/Forums/Authorization/PopForumsAuthorizationMiddleware.cs:line 20
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

.NET Version

8.0

Anything else?

No response

[halter73]

Unfortunately, these repro steps are not sufficient to demonstrate that there is a bug in the framework and not in the app. If you can provide a minimal repro that demonstrates just this issue and a specific trigger for the InvalidOperationException more specific than "wait some amount of time," that points to this being a framework issue, we'll look into this further.

[jeffputz]

I suspected that this would be the response, which is why I almost didn't submit this. I can't repro it, I can only show you that it happens. The auth code has always been complex, which is why I also didn't look at the source, because I wouldn't know where to start. From what I described, you could logically concluded that a minimal repo wouldn't be useful. That repo would be the code samples in the docs, which would then have to run for some amount of time in an Azure Linux App Service before it broke. That I can't do this does not mean that there's no problem.

My assumption is that the place where the registration of handlers is stored is actually volatile after startup. So why is that?

[halter73]

My assumption is that the place where the registration of handlers is stored is actually volatile after startup. So why is that?

I'm not sure why we decided to make it possible to mutate authentication schemes after app start. That decision to allow for that much flexibility was before my time, but my guess is that it was support very dynamic multitenant auth scenarios that might be desired by framework or CMS authors. I haven't seen it used outside of our tests and samples like this one though.

aspnetcore/src/Security/samples/DynamicSchemes/Controllers/AuthController.cs

Lines 23 to 28 in 8efe5b0

	public IActionResult Remove(string scheme)
	{
	_schemeProvider.RemoveScheme(scheme);
	_optionsCache.TryRemove(scheme);
	return Redirect("/");
	}

Assuming that the issue really is the authentication scheme being removed after application start, and not the application restarting without registering any schemes, you should be able to see it by registering a custom IAuthenticationSchemeProvider that logs the calls to add and remove schemes:

builder.Services.AddSingleton<IAuthenticationSchemeProvider, LoggingAuthSchemeProvider>();

// ...

public class LoggingAuthSchemeProvider(IOptions<AuthenticationOptions> options, ILogger<LoggingAuthSchemeProvider> logger)
    : AuthenticationSchemeProvider(options)
{
    public override bool TryAddScheme(AuthenticationScheme scheme)
    {
        logger.LogInformation("Adding scheme '{SchemeName}'.", scheme.Name);
        return base.TryAddScheme(scheme);
    }

    public override void RemoveScheme(string name)
    {
        logger.LogCritical("Removing scheme '{SchemeName}'!!!{StackTrace}", name, Environment.StackTrace);
        base.RemoveScheme(name);
    }
}

[jeffputz]

I'm not familiar with LoggingAuthSchemeProvier... where would it log to?