Anonymous AuthorizationPolicy still validates JWT token's lifetime and throws exceptions (but pass request down) #63744
Description
Describe the bug
My YARP Config has two Routes one with JWT Bearer token authorization and second one with AuthorizationPolicy sets to "anonymous". Everything runs great.
When I pass to anonymous route data without Bearer token it returns 200 (correct).
When I pass Bearer token that is not correct it returns 200 (correct - it's anonymous route, we don't care).
When I pass Bearer token that is correct and up to date it returns 200 (correct - it's anonymous route, we don't care).
When I pass Bearer token that is correct but life time ended it returns 200 (correct - it's anonymous route, we don't care) but also throws excpetion Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired. ValidTo (UTC).... and fire JwtBearerEvents - OnAuthenticationFailed (but still pass request down).
It's not bug that stopped flow but throws unwanted exceptions and also shows that in background validation token for anonymous requests still occurs. Fix could clear unwanted exceptions and speedup anonymous flow.
To Reproduce
- YARP config has two Routes one with JWT Bearer token authorization and second one with AuthorizationPolicy sets to "anonymous".
- pass Bearer token to anonymous route that is correct but life time ended
- request is passed but exception accurs: "Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired"
Further technical details
- YARP 2.3.0
- The platform (Linux)