Authorization fails before authentication occurs if there is no Authorization header on the incoming request

[DaDuStMaN20]

Describe the bug

In an MVC application with authorization and authentication using IdentityServer4, the authorization fails before authentication takes place when the incoming request does not have an Authorization header. When this happens, the log reads as follows:

Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request starting HTTP/1.1 POST https://localhost:44363/api/measurements application/json 1021
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Successfully validated the token.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: BearerIdentityServerAuthenticationJwt was challenged.
IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler: Information: AuthenticationScheme: Bearer was challenged.

This shows that authorization fails before authentication occurs. It also shows that the token was successfully validated. In my case, I am extracting the token from the request body and assigning it to context.Token in the JwtBearerEvents.OnMessageReceived event handler.

If I put any valid Jwt in the auth header, my token validation occurs. For example, if the jwt in the auth header is expired and the one in the body is not expired, the validation will be successful because it is only validating the one in the body. In that case, the authorization succeeds (as it happened in the correct order since there was a token in an auth header).

To Reproduce

I have created a simple project to show what happens. For some reason, the logging is not showing anything other than the IdentityServer4 message in this project, but the behavior is still the same. Before running the project, you will need to use an identity server instance to generate an access token. In order for the token to be valid, you will need to edit the startup.cs file and paste the identity server address (authority) and the valid token in the proper spots (marked by // TODO:).

You will also need to use a tool to send a POST request to the API. I used Postman for my testing. I set the auth to no auth (when trying to send without an auth header) and to Bearer when I attempt to send with the token. In this case, no content should be sent with the request.

https://github.com/dw1020/Authorization-Issue-Demo

Exceptions (if any)

no exceptions

Further technical details

• ASP.NET Core version: 3.1
• Include the output of dotnet --info:

.NET SDK (reflecting any global.json):
 Version:   6.0.100-preview.5.21302.13
 Commit:    d6380bcae7

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19042
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.100-preview.5.21302.13\

Host (useful for support):
  Version: 6.0.0-preview.5.21301.5
  Commit:  ec3e0b276b

.NET SDKs installed:
  3.1.410 [C:\Program Files\dotnet\sdk]
  5.0.203 [C:\Program Files\dotnet\sdk]
  5.0.204 [C:\Program Files\dotnet\sdk]
  6.0.100-preview.5.21302.13 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 6.0.0-preview.5.21301.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.0-preview.5.21301.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.7 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 6.0.0-preview.5.21301.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

• The IDE (VS / VS Code/ VS4Mac) you're running on, and its version: VS Community 2019 Version 16.9.6

[blowdart]

This shows that authorization fails before authentication occurs

Sort of. Authentication is triggered by an authorization check, which explains what you're seeing. If there's not authorization check, via default filters or an attribute then authentication never runs, because there's not need.

It's not clear to me if you're just pointing out the order in the logs, or if you actually have an authn/authz problem?

[DaDuStMaN20]

This shows that authorization fails before authentication occurs

Sort of. Authentication is triggered by an authorization check, which explains what you're seeing. If there's not authorization check, via default filters or an attribute then authentication never runs, because there's not need.

It's not clear to me if you're just pointing out the order in the logs, or if you actually have an authn/authz problem?

My issue is that the authentication only fails when there is no auth header and does not fail when there is an expired token in the auth header. I am having an authorization problem.

The real issue is that authorization is failing due to not having an authorization header on the incoming request when it appears that the on message received event handler has a built in way to retrieve the token from wherever you want by setting context.Token. Setting the token in the message handler prevents the method that triggers the message received handler from trying to extract the token from a header.

[blowdart]

Ah got it thank you, @HaoK / @Tratcher ?

[DaDuStMaN20]

@blowdart @HaoK @Tratcher

By any chance, have you guys had any time to look into this?

[Tratcher]

IdentityServer says this code is obsolete: DuendeArchive/IdentityServer4#4892.

Try the recommended alternatives and let us know if you're still hitting this issue.

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.