Description
The JwtBearerOptions.Events when .AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(...) is injected does not return the correct http status codes as specified. When adding these events to be called when the request is challenged or forbidden, the WriteAsJsonAsync method specifically describes that it will return a 200 HTTP status. This occurs normally with the OnChallenge handler, where a 200 is returned, but OnForbidden still returns a 403 even though the same method WriteAsJsonAsync says that it will return 200 HTTP status.
.AddJwtBearer(options =>
{
options.Events = new JwtBearerEvents
{
OnChallenge = ctx =>
ctx.Response.WriteAsJsonAsync(<response object here>), //Returns 200, normal
OnForbidden = ctx =>
ctx.Response.WriteAsJsonAsync(<response object here>) //Returns 403, but supposed to be 200
};
});
I know that 403 really means forbidden, and it says that is what is supposed to be returned for OnForbidden in MS Docs, but the WriteAsJsonAsync specifically says that
"the status code [will be] set to 200."