Skip to content

Triage for dotnet/runtime#115938 by antonfirsov #1087

Closed
Closed
Triage for dotnet/runtime#115938 by antonfirsov#1087
@MihuBot

Description

@MihuBot
MihuBot
opened on May 23, 2025

Triage for dotnet/runtime#115938.
Last updated: 2025-05-23_12-06-43

Distributed tracing and metrics are not emitted on redirects with custom ICredentials by antonfirsov
[Tool] Searching for redirects custom ICredentials tracing metrics, RedirectHandler disables MetricsHandler DiagnosticsHandler, SocketsHttpHandler redirects handler chain, ICredentials redirect tracing, HttpConnectionHandler RedirectHandler metrics diagnostics
[Tool] Found 32 issues, 74 comments, 42 returned results (7784 ms)
[Tool] Obtained 8 comments for issue #89300: HttpClient - Kerberos authentication fails after a redirect
[Tool] Obtained 4 comments for issue #34967: WebClient Negotiate DefaultCredentials not handled on redirect
[Tool] Obtained 4 comments for issue #40777: HttpHandlerDiagnosticListener does not send second chain of events if the request was autoredirected on netfx in W3C mode
[Tool] Obtained 20 comments for issue #31261: Customized SocketsHttpHandler does not support diagnostics tracking

Here are related issues and discussions relevant to #115938 ("Distributed tracing and metrics are not emitted on redirects with custom ICredentials"):

1. Issue #89300 - HttpClient - Kerberos authentication fails after a redirect

Summary:

  • Users report that after an HTTP-to-HTTPS redirect, authentication (Kerberos/Negotiate) fails, even when UseDefaultCredentials = true is set.
  • The workaround is to disable automatic redirection and handle it manually, or to use a CredentialCache with the final URI.
  • The root cause is that .NET Core/.NET drops credentials on any redirect, while .NET Framework only drops them when the authority changes.
  • There is a breaking change between .NET Framework and .NET Core/.NET, and the only workaround is to pre-populate the credential cache with the redirected URI, which defeats the purpose of redirection.
  • The discussion includes security concerns about sending credentials over HTTP and the lack of a good rollback to the old behavior.
  • The issue is acknowledged as a pain point for migration and infrastructure upgrade scenarios.

2. Issue #34967 - WebClient Negotiate DefaultCredentials not handled on redirect

Summary:

  • Reports that .NET Core 3.1 drops NTLM credentials on any redirect, while .NET Framework only drops them when the authority changes.
  • The workaround is to use a CredentialCache and add credentials for the specific URI.
  • The difference in behavior is acknowledged as an app-compat issue, and there was a suggestion to fix it for easier migration from .NET Framework.
  • Ultimately, due to low customer impact and available workarounds, the issue was moved to the "Future" milestone.

3. Issue #40777 - HttpHandlerDiagnosticListener does not send second chain of events if the request was autoredirected on netfx in W3C mode

Summary:

  • Discusses how distributed tracing events are emitted for requests that are auto-redirected.
  • The original problem was that DiagnosticHandler could not intercept redirects because it was not at the start of the handler chain.
  • This was fixed in .NET 6.0 by moving DiagnosticHandler to the start of the chain, so that redirects are properly instrumented and traced.
  • This change means that, as of .NET 6.0, automatic redirects should be visible to distributed tracing and metrics, provided the handler chain is not bypassed.

4. Issue #31261 - Customized SocketsHttpHandler does not support diagnostics tracking

Summary:

  • If you use a custom SocketsHttpHandler (e.g., to tweak connection settings), you lose the automatic wrapping of DiagnosticsHandler (and thus distributed tracing/metrics).
  • The default HttpClientHandler wraps the handler chain with DiagnosticsHandler, but if you build your own chain, you must add it yourself (which is not public).
  • There are workarounds using reflection, but this is not ideal.
  • The issue led to changes in .NET 6.0 to better support distributed tracing and metrics even with custom handlers, but the problem can still occur if the handler chain is not constructed correctly.

Key Takeaways for Issue #115938

  • The root cause of distributed tracing and metrics not being emitted on redirects with custom ICredentials is that, in certain code paths (notably when ICredentials is not a CredentialCache), the handler chain is rebuilt and may bypass DiagnosticsHandler and MetricsHandler.
  • This is a known limitation and has been discussed in the context of both authentication and diagnostics/tracing.
  • The workaround is to use a CredentialCache and pre-populate it with the expected URIs, but this is not always practical.
  • There is a broader, long-standing issue with how credentials and handler chains interact with redirects, especially when custom handlers or credentials are used.
  • Recent versions of .NET (6.0+) have improved the situation for diagnostics/tracing by ensuring DiagnosticsHandler is at the start of the chain, but the credential/redirect interaction remains a pain point.

Related but less directly relevant:

  • #15322: Linux not passing credentials in cache during redirect.
  • #17545: NTLM credentials not sent when multiple WWW-Authenticate headers.
  • #32026: Suppressing follow redirect for a single request.
  • #86961: API proposal for passing Meter to handlers (metrics extensibility).

If you need more details on any of these issues or want to see the full discussion for a specific one, let me know!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions