When using Custom Authentication handler, httpContext.User is not getting updated even after token validation is successful

[askids]

hi,

I am using .Net 6 WebApi. I have a need to support dual authentication scheme. One scheme is using standard OIDC provided Access token for which I am using the standard AddJwtBearer extension method with tokenvalidation parameters. For second scheme, I have created a custom Authentication Handler using the .Net's own JwtBearerHandler.cs code as reference.

https://github.com/dotnet/aspnetcore/blob/a450cb69b5e4549f5515cdb057a68771f56cefd7/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs

For initial implementation, except for changing from Bearer to CustomBearer and changing the class name, I haven't done any other changes, so that easier to troubleshoot during initial development.

I also have some custom AuthorizationHandler classes for applying custom Authorization policies.

The problem that I am facing is that even though the authentication of the incoming JWT is happening successfully in the Custom Authentication Handler and I am setting the TokenValidateContext with the claim principle from the incoming JWT, I am not seeing httpContext.User updated with the proper identity from token, when I access httpContext in other places within the app.

Even in the Custom Authorization Handler's HandleRequirementAsync method, the AuthorizationHandlerContext does not have the authenticated user identity information. So my subsequent authorization handler fails the request as no user information is available from the Claims Principle.

I am facing this issue, only when Authentication goes through my custom authentication handler class. If I am passing the standard OIDC provided access_token, httpContext.User and AuthorizationHandlerContext, both reflect the authenticated user principle as available from token.

So i am thinking that I am missing some step in between after completing the authentication which is causing the httpContext.User not to reflect the authenticated User Principle information.

In my custom authentication handler's HandleAuthenticateAsync method, after successful validation of the token, should I simply overwrite httpContext.User with the Principle created from the token? Or is there any other standard way to update the value as the reference JwtBearerHandler.cs does not perform any such action.

Any guidance on this will be very helpful.

Thanks!

[Tratcher]

aspnetcore/src/Security/Authentication/Core/src/AuthenticationMiddleware.cs

Lines 62 to 66 in 576c75c

	var result = await context.AuthenticateAsync(defaultAuthenticate.Name);
	if (result?.Principal != null)
	{
	context.User = result.Principal;
	}

Only the default auth scheme configured via AddAuthentication is used to set the HttpContext.User. How do you have your schemes set up?

[askids]

@Tratcher Thanks for the pointer. My custom authn scheme is not the current default. In fact, I have a dummy default which is simply having the logic to forward the request to required authentication scheme. But I was able to identify the issue.

When I was registering the authorization policies, I was only attaching the Bearer authentication scheme to it. That is the reason why in the AuthorizationHandlerContext, I was not getting Claim Principle identity of authenticated user.

Once I figured out this, I was in fact able to get rid of my custom Authentication handler and simply leverage the inbuilt AddJwtBearer extension method which will use the default JwtBearerHandler for Authentication. I added an additional header which I am now using to determine the Forwarding Auth scheme. Thanks a lot!