.Net 8 authorization custom response for not authenticated requests

[sharpzilla]

I have a simple cookie-based authentication system and a global fallback authorization handler. How do I handle scenarios where the user hasn't authenticated (e.g., due to an expired or corrupted cookie, or simply failing authentication)?

The framework provides us with AuthenticateResult (Microsoft.AspNetCore.Authentication.Cookies.AuthenticateResult), and I need to process this result to return a 401 response code to the frontend along with a custom body DTO. The content of the response body is crucial for the frontend.

As far as I understand, when I call httpContext.AuthenticateAsync in the AuthorizationHandler, the authentication process is executed again. However, this seems to be the only way to obtain the authentication result.

I want to achieve a behavior where, if authentication fails, my custom authorization handler is not triggered and specific dto returned.

I also don't understand how to pass Authorization Failure Reason into the Fail method of AuthorizationHandlerContext if the user isn't authenticated. I want to create typed failure reasons, but when the user doesn't pass the authentication policy, the Requirements in GlobalAuthorizationMiddlewareResultHandler is null. Is this possible, or am I doing something wrong?

P.S. My controllers do not have the [Authorize] attribute. I need a behavior where all endpoints in all controllers use the same authentication schema, which is why I'm using a fallback authorization policy.

Program.cs:

services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, ConfigureCookieAuthenticationOptions>();
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
  .AddCookie();

services.AddAuthorizationBuilder()
  .SetFallbackPolicy(new AuthorizationPolicyBuilder()
    .AddRequirements(new GlobalAuthorizationRequirement())
    .Build());

services.AddScoped<IAuthorizationHandler, GlobalAuthorizationHandler>();
services.AddScoped<IAuthorizationMiddlewareResultHandler, GlobalAuthorizationMiddlewareResultHandler>();

ConfigureCookieAuthenticationOptions.cs:

internal class ConfigureCookieAuthenticationOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
{
    private readonly string _corsOrigin;

    public ConfigureCookieAuthenticationOptions(IOptions<CorsConfig> corsConfig)
    {
        _corsOrigin = corsConfig.Value.Origin;
    }

    public void Configure(string name, CookieAuthenticationOptions options)
    {
        if (name is CookieAuthenticationDefaults.AuthenticationScheme)
        {
            options.SlidingExpiration = true;
            options.Cookie.IsEssential = true;
            options.Cookie.HttpOnly = true;

            if (_corsOrigin == "*")
            {
                options.Cookie.SameSite = SameSiteMode.None;
                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
            }

            options.Events.OnCheckSlidingExpiration = SlidingExpirationCheck;
            options.Validate();
        }
    }

    public void Configure(CookieAuthenticationOptions options)
        => Configure(Options.DefaultName, options);

    static Task SlidingExpirationCheck(CookieSlidingExpirationContext context)
    {
        context.ShouldRenew = context.ElapsedTime > (context.Options.ExpireTimeSpan / 4);
        return Task.CompletedTask;
    }
}

GlobalAuthorizationHandler.cs

internal sealed class GlobalAuthorizationHandler : AuthorizationHandler<GlobalAuthorizationRequirement>
{
    private readonly IAuthManagerCache _authManagerCache;

    public GlobalAuthorizationHandler(IAuthManagerCache authManagerCache)
    {
        _authManagerCache = authManagerCache;
    }

    protected sealed override async Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        GlobalAuthorizationRequirement requirement)
    {
        var httpContext = context.Resource as HttpContext;

        if (!httpContext.User.Identity.IsAuthenticated)
        {
            var result = await httpContext.AuthenticateAsync();

            if (!result.Succeeded && result.Failure is not null)
            {
                if (result.Failure.Message.Equals("Unprotect ticket failed", StringComparison.OrdinalIgnoreCase))
                {
                    requirement.UnauthorizedReason = UnauthorizedReason.BadTicket;
                    context.Fail();
                    return;
                }
                else if (result.Failure.Message.Equals("Ticket expired", StringComparison.OrdinalIgnoreCase))
                {
                    requirement.UnauthorizedReason = UnauthorizedReason.SessionExpiredByTime;
                    context.Fail();
                    return;
                }
            }

            context.Fail();
            return;
        }

        //other authorization logic
        context.Succeed(requirement);
        return;
    }
}

GlobalAuthorizationMiddlewareResultHandler.cs

public class GlobalAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
{
    private readonly AuthorizationMiddlewareResultHandler _defaultHandler = new();

    public async Task HandleAsync(
        RequestDelegate next,
        HttpContext context,
        AuthorizationPolicy policy,
        PolicyAuthorizationResult authorizeResult)
    {
        if (authorizeResult.Succeeded)
        {
            await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);
            return;
        }

        var cancellationToken = context.RequestAborted;
        context.Response.StatusCode = StatusCodes.Status401Unauthorized;
        var globalAuthorizationRequirement = policy.Requirements.OfType<GlobalAuthorizationRequirement>().FirstOrDefault();

        if (globalAuthorizationRequirement is not null)
        {
            await context.SignOutAsync();
            response = new AuthorizationResponse
            {
                Reason = globalAuthorizationRequirement.UnauthorizedReason.ToString()
            }; 

            await context.Response.WriteAsJsonAsync(response, cancellationToken);
            return;
        }
    }

    private sealed record AuthorizationResponse
    {
        public required string Reason { get; init; }
    }
}