Null policyAuthorizationResult.AuthorizationFailure in custom IAuthorizationMiddlewareResultHandler

[gonzaloluna]

Hi, I am trying to send custom forbid messages for different Authorization Policies in the our web api.

I followed the examples introduced in NET Core 5 for adding a custom IAuthorizationMiddlewareResultHandler.
The problem I'm facing is the object policyAuthorizationResult.AuthorizationFailure is always null so I can't tell which policy failed. The first if in the following code (my customAuthorizationMiddlewareResultHandler).

public async Task HandleAsync(
            RequestDelegate requestDelegate,
            HttpContext httpContext,
            AuthorizationPolicy authorizationPolicy,
            PolicyAuthorizationResult policyAuthorizationResult)
        {
            if (policyAuthorizationResult.Forbidden && policyAuthorizationResult.AuthorizationFailure != null)
            {
                if (policyAuthorizationResult.AuthorizationFailure.FailedRequirements.Any(requirement => requirement is LicenseRequirement))
                {
                    var requirement = policyAuthorizationResult.AuthorizationFailure.FailedRequirements.FirstOrDefault() as LicenseRequirement;
                    httpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                    await httpContext.Response.WriteAsync(requirement.RequirementError);

                    // return right away as the default implementation would overwrite the status code
                    return;
                }
               
            }

            await _handler.HandleAsync(requestDelegate, httpContext, authorizationPolicy, policyAuthorizationResult);
        }

This is how I add the Authentication middleware.

var machineKeyConfig = new XmlMachineKeyConfig(File.OpenRead("machine_config.xml"));
            MachineKeyDataProtectionOptions machinekeyOptions = new MachineKeyDataProtectionOptions
            {
                MachineKey = new MachineKey(machineKeyConfig)
            };
            MachineKeyDataProtectionProvider machineKeyDataProtectionProvider = new MachineKeyDataProtectionProvider(machinekeyOptions);
            MachineKeyDataProtector machineKeyDataProtector = new MachineKeyDataProtector(machinekeyOptions.MachineKey);

            IDataProtector dataProtector = machineKeyDataProtector.CreateProtector("Microsoft.Owin.Security.OAuth", "Access_Token", "v1");
            var ticketDataFormat = new OwinTicketDataFormat(dataProtector);



            services
                .AddAuthentication(o => {
                    o.DefaultAuthenticateScheme = OAuthValidationDefaults.AuthenticationScheme;
                    o.DefaultChallengeScheme = OAuthValidationDefaults.AuthenticationScheme;
                })
               .AddOAuthValidation(option =>
                {
                  //using legacy ticketDataFormat for backward compatibility with older apis
                   option.AccessTokenFormat = ticketDataFormat;
                });

Thanks

[HaoK]

How are you triggering the authorization failures, via AuthorizationMiddleware/EndpointRouting and authorize attributes?

[gonzaloluna]

I'm using Policy-based authorization. It's triggered by HandleRequirementAsync from a custom AuthorizationHandler

protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
        {
           var hasPermissionsApplied = requirement.Permissions.Any();
            if (hasPermissionsApplied)
            {
                _logger.LogTrace("Permissions required: {0}",  string.Join(", ", requirement.Permissions));

                var permissions = await _permissionService.GetUserPermissions(_licenseClaim.ProductLicenseId, _licenseClaim.CustomerId, true, requirement.Permissions);

                //logic ......
                if (notAllEnabled || notAllPermissionsIncluded)
                {
                    _logger.LogWarning("[Authorize Permission] Permission not matched for product license " + _licenseClaim?.ProductLicenseId);
                    context.Fail("Permission not matched for product license " + _licenseClaim?.ProductLicenseId, _httpContextAccessor);
                    return;
                }
                context.Succeed(requirement);
                return;
            }
        }

[HaoK]

You mean you aren't using asp.net or the endpoint middleware? Normally people hit an endpoint with authorize metadata.

[HaoK]

But the wireup for what failed comes from

aspnetcore/src/Security/Authorization/Core/src/DefaultAuthorizationEvaluator.cs

Line 21 in c925f99

: AuthorizationFailure.Failed(context.PendingRequirements));

which is normally what's used to determine when authorization succeeds or fails

aspnetcore/src/Security/Authorization/Core/src/DefaultAuthorizationService.cs

Line 98 in c925f99

var result = _evaluator.Evaluate(authContext);

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

See our Issue Management Policies for more information.