Raise authenticationFailed event when cert validation fails (#31370)

HaoK · web-flow · commit 364564fd8bc3 · 2021-03-30T15:57:47.000-07:00
diff --git a/src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs b/src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs
@@ -79,6 +79,17 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 }
 
                 var result = await ValidateCertificateAsync(clientCertificate);
+
+                // Invoke the failed handler if validation failed, before updating the cache
+                if (result.Failure != null)
+                {
+                    var authenticationFailedContext = await HandleFailureAsync(result.Failure);
+                    if (authenticationFailedContext.Result != null)
+                    {
+                        result = authenticationFailedContext.Result;
+                    }
+                }
+                
                 if (_cache != null)
                 {
                     _cache.Put(Context, clientCertificate, result);
@@ -87,12 +98,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             }
             catch (Exception ex)
             {
-                var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options)
-                {
-                    Exception = ex
-                };
-
-                await Events.AuthenticationFailed(authenticationFailedContext);
+                var authenticationFailedContext = await HandleFailureAsync(ex);
                 if (authenticationFailedContext.Result != null)
                 {
                     return authenticationFailedContext.Result;
@@ -102,6 +108,17 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             }
         }
 
+        private async Task<CertificateAuthenticationFailedContext> HandleFailureAsync(Exception error)
+        {
+            var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options)
+            {
+                Exception = error
+            };
+
+            await Events.AuthenticationFailed(authenticationFailedContext);
+            return authenticationFailedContext;
+        }
+
         private async Task<AuthenticateResult> ValidateCertificateAsync(X509Certificate2 clientCertificate)
         {
             // If we have a self signed cert, and they're not allowed, exit early and not bother with
diff --git a/src/Security/Authentication/JwtBearer/src/JwtBearerEvents.cs b/src/Security/Authentication/JwtBearer/src/JwtBearerEvents.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer
     public class JwtBearerEvents
     {
         /// <summary>
-        /// Invoked if exceptions are thrown during request processing. The exceptions will be re-thrown after this event unless suppressed.
+        /// Invoked if authentication fails during request processing. The exceptions will be re-thrown after this event unless suppressed.
         /// </summary>
         public Func<AuthenticationFailedContext, Task> OnAuthenticationFailed { get; set; } = context => Task.CompletedTask;
 
diff --git a/src/Security/Authentication/test/CertificateTests.cs b/src/Security/Authentication/test/CertificateTests.cs
@@ -284,6 +284,30 @@ public async Task VerifyUntrustedClientCertEndsUpInForbidden()
             var response = await server.CreateClient().GetAsync("https://example.com/");
             Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
         }
+        
+        [Fact]
+        public async Task VerifyValidationFailureCanBeHandled()
+        {
+            var failCalled = false;
+            using var host = await CreateHost(
+                new CertificateAuthenticationOptions
+                {
+                    Events = new CertificateAuthenticationEvents()
+                    {
+                        OnAuthenticationFailed = context =>
+                        {
+                            context.Fail("Validation failed: " + context.Exception);
+                            failCalled = true;
+                            return Task.CompletedTask;
+                        }
+                    }
+                }, Certificates.SignedClient);
+
+            using var server = host.GetTestServer();
+            var response = await server.CreateClient().GetAsync("https://example.com/");
+            Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+            Assert.True(failCalled);
+        }
 
         [Fact]
         public async Task VerifyClientCertWithUntrustedRootAndTrustedChainEndsUpInForbidden()
@@ -752,7 +776,6 @@ private static async Task<IHost> CreateHost(
 
             await host.StartAsync();
 
-
             var server = host.GetTestServer();
             server.BaseAddress = baseAddress;
             return host;

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer`
`12`	`12`	`public class JwtBearerEvents`
`13`	`13`	`{`
`14`	`14`	`/// <summary>`
`15`		`- /// Invoked if exceptions are thrown during request processing. The exceptions will be re-thrown after this event unless suppressed.`
	`15`	`+ /// Invoked if authentication fails during request processing. The exceptions will be re-thrown after this event unless suppressed.`
`16`	`16`	`/// </summary>`
`17`	`17`	`public Func<AuthenticationFailedContext, Task> OnAuthenticationFailed { get; set; } = context => Task.CompletedTask;`
`18`	`18`