WS-Federation OnRemoteFailure - is this the best way to challenge for authentication again #4642
Description
ASP.NET Core 2.1
My app has remote authentication configured with WS-Fed. I don't want any part of the app to be accessible to an unauthenticated user.
services .AddAuthentication(o => { o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; o.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; o.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme; }) .AddWsFederation(o => { o.Wtrealm = "urn:sp.ProspectPortal"; o.MetadataAddress = "https://localhost:44311/metadata.xml"; o.Events.OnRedirectToIdentityProvider = ctx => { ctx.ProtocolMessage.Wct = DateTimeOffset.UtcNow.ToString(); return Task.CompletedTask; }; }) .AddCookie(); If the user cancels the authentication, then the remote authenticator redirects to the default WsFederationOptions.CallbackPath, which is /signin-wsfed. It displays the following exception
System.Exception: An error was encountered while handling the remote login. ---> System.Exception: No message. --- End of inner exception stack trace --- at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context) I know an issue with my IdP is causing this exception.
For now, in order to automatically challenge the user for authentication again and to not show the exception, I added this to the ws-fed configuration.
o.Events.OnRemoteFailure = ctx => { ctx.Response.Redirect("/Index"); //requires authentication ctx.HandleResponse(); return Task.CompletedTask; }; Is this the best way to redirect on failure? Is this the best way to challenge authentication again? See any issues with this?