ForbidAsync uses challenge schemes instead of forbid schemes

[davidfowl]

While looking through the code I noticed that nothing uses the configured forbid schemes by default (GetDefaultForbidSchemeAsync).

HttpAbstractions/src/Microsoft.AspNetCore.Authentication.Core/AuthenticationService.cs

Lines 112 to 122 in d894584

	public virtual async Task ForbidAsync(HttpContext context, string scheme, AuthenticationProperties properties)
	{
	if (scheme == null)
	{
	var defaultChallengeScheme = await Schemes.GetDefaultChallengeSchemeAsync();
	scheme = defaultChallengeScheme?.Name;
	if (scheme == null)
	{
	throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultChallengeScheme found.");
	}
	}

Seems like ForbidAsync should use the specificed ForbidScheme (if any).

/cc @HaoK

[jkotalik]

See aspnet/Security#1376

[jkotalik]

@Eilon @muratg This is probably a 2.0.1 candidate.

[Eilon]

Do we feel this is a common case? How bad is the workaround?

[davidfowl]

@Eilon yes it's very common. The work around isn't that bad but it's non obvious. The application crashes (Stackoverflow) as a result of the recommended configuration.

[davidfowl]

@Eilon this alone doesn't actually fix the issue though. This issue aspnet/Security#1376 requires that this be fixed aspnet/Security#1378 as well.

[Eilon]

Got it, this does sound patch-worthy.