-
Notifications
You must be signed in to change notification settings - Fork 10.3k
OnAuthenticationFailed never fires when certificate validation fails #30819
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
That's not what We updated the comments in the other middlewares, e.g. Jwt but it looks like it never made it to Certificate. @JunTaoLuo / @HaoK could one of you update the xml doc comments to match the ones in JWT to remove the confusion? |
Ok. Thank you for the information, but I'm a little perplexed, because when the validation of the certificate fails, the request still proceeds forward rather than preventing the request from moving forward unless this is by design. Also if you look at the JwtHandler.js, you have the following:
If there are validationFailures, then the handler called Events.AuthenticationFailed which triggers the event and event handler. Based upon the example(s) in the docs, the OnCertificateValidation seems to be designed for adding additional claims to the identity, checking the certificate against a database, etc. My application will most likely run in an environment where it cannot use the internet to check CRLs and will not have access to offline CRLs either, so setting the revocation mode to NoCheck is probably going to be the way to go anyway. One thing I also noticed is that the checks seem to be occurring twice, is this because it runs before and after the request? |
Validation failures are acceptable, because you can have multiple authentication handlers, and when one fails another may succeed, Auth failure doesn't stop the pipeline. If no authentication handlers end up running there's no identity produced, and any authorization will fail. @Tratcher if we look at JWT it's inconsistent with the actual code comments. What's the expected behaviour here? |
OK we've talked about this internally, we don't have base events, so we have inconsistency. JWT is does it, because the JWT validator isn't our code, they throw exceptions, we catch and then pass up to fail. OIDC is the same as JWT. Cookie doesn't have validation really. So, we'll change certificate for 6.0 and pass the failures up, to match JWT, and we'll fix the code comments everywhere. |
Thank you very much for reviewing this and your consideration. |
You're welcome. |
Description
I have a rooted certificate (created a CA and generated a test user certificate from this CA). When attempting to present this certificate, I fully expected the certificate validation to fail because it cannot check a CRL. This failure is desired. However, the handler associated with the OnAuthenticationFailed event never fires.
I stepped through the code in the CertificateAuthenticationHandler.cs and found that the certificate validation fails as expected, but reaches line 140 where the code states:
and the AuthenticationFailed event and its associated event handler are never fired.
I changed the options.RevocationMode to X509RevocationMode.NoCheck. As expected, the validation of the certificate succeeds and reaches line 149 where the code states:
and the CertificateValidated event and associated handler are fired.
Configuration
.NET Core 3.1
Windows 10 Professional
x64 architecture
Regression?
I don't know if this is a regression.
Other information
N/A
The text was updated successfully, but these errors were encountered: