OnAuthenticationFailed should be called when the OIDC authorization request returns an error

[danroth27]

When I make an OIDC authorization request and the response is an error (ex. a post back with an error property) I expect the OnAuthenticationFailed event to be fired so that I can see the protocol message and potentially handle the event. Currently I have to handle this case using the OnRemoteFailure event, which only gives you the failure exception, and not the actual protocol message details.

I ran into this trying to port some Azure AD B2C sample code from Katana to ASP.NET Core. When you try to reset your password with Azure AD B2C you get back an error response with a particular error code in the error description that you need to handle. It's a bit ugly to do that with the OnRemoteFailure event.

[Eilon]

@Tratcher let's take a look at this for 2.0.0.

[brockallen]

IIRC there's another similar issue already open related to this // @Tratcher

[Tratcher]

@brockallen #884 ?

[brockallen]

Actually, this is the one I was thinking of: #1188

[Tratcher]

Offline discussion: how can we flow information into OnRemoteFailure in a more structured way? #1188 asks for the auth properties. @danroth27 is asking for the structured failure response. Right now the failures are rendered as an exception message:

Security/src/Microsoft.AspNetCore.Authentication.OAuth/OAuthHandler.cs

Line 51 in bd19ba9

if (!StringValues.IsNullOrEmpty(error))

Security/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

Line 1211 in bd19ba9

return new OpenIdConnectProtocolException(string.Format(

Note Twitter uses OAuth1a and doesn't even have this level of structure to its errors.

[brockallen]

There are several places where just throwing is not really helpful. One big one is in the JwtSecurityTokehNalder itself -- what a bad design. I don't know/recall if the OIDC MW suppresses that exception, but it'd be nice for it to.

So, then, how about an "ErrorPageUrl", akin to how the cookie MW has login and access denied path properties to redirect the user to? As for capturing the error info, another all purpose error event seems like an idea.... but yikes, that's a lot of events.

[Tratcher]

@brockallen Yes, OIDC and JWT middleware capture the JwtSecurityTokenHandler exceptions and raise them to the events. What happens from there still needs work as you suggest. The error page url is something I've considered, but it's not clear that we can flow any useful details there, nor is the page even likely to exist unless we add it to templates.

[Eilon]

Closing because this hasn't come up a whole lot recently. There are some ways to handle these types of failures, though they're not ideal.