dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.43k stars 10.02k forks source link

Invalid Issuer should response 500 instead of 401 in dotnet 8 Microsoft.AspNetCore.Authentication.JwtBearer #53692

Open ShineSmile opened 9 months ago

ShineSmile commented 9 months ago

Is there an existing issue for this?

Describe the bug

Microsoft.AspNetCore.Authentication.JwtBearer version 8.0.1

Invalid Issuer should response 500 instead of 401 as before. Invalid Issuer is server-side issue. Response 401 and add comments in header may confuse client-side user who request with valid token.

image image image image

Expected Behavior

Invalid Issuer is service side issue so response 500 is expected. The server lost token validate function does not mean user credential is incorrect.

Steps To Reproduce

builder.Services.AddAuthentication("Bearer")
                .AddJwtBearer("Bearer", config =>
                {
                    config.Authority = "https://authority.host";
                    config.Audience = "audience-here";

                    config.SaveToken = true;
                });

set up Web API project and request with valid token. Disconnect all network connection to Authority. I have test 3.1, 6, 7, 8 and only response code 401 received in dotnet 8.

Exceptions (if any)

No response

.NET Version

8.0.101

Anything else?

No response

ghost commented 9 months ago

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

petermicuch commented 3 months ago

This is indeed a bit misleading and much harder to detect issues from field. Now the first question if we encounter 401 when user claims correct credentials will be test if issuer is valid (i.e. valid certificate). And this is quite common problem when containerized application does not have "local" certificates imported into cert store of the container.