404 response when not authenticated/authorized

[sicollins]

As taken from the points raised in the comments here https://stormpath.com/blog/token-authentication-asp-net-core

If you try to make a request with in invalid or expired token the response you get is a 404 not found instead of a 403 Unauthorized.

I can get the code in your repo to do the same.
If you set up in POSTman to
POST /api/values/123

In headers set:
Auhtorazation = Bearer +

You get a 404 not found.

In the output window I can see:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__1.MoveNext()

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:2444/Account/Login?ReturnUrl=%2Fapi%2Fvalues%2F123

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Bearer was not authenticated. Failure message: IDX10703: Unable to decode the 'header': 'eyJhbGciOiJIUzI1NiIsInR5cDI6IkpXVCJ9' as Base64url encoded string. jwtEncodedString: 'the invalid token'.

The 404 is a result of something, I'm guessing either one of these:
AspNetCore.Authentication.Cookies
AspNetCore.Authentication.JwtBearer
trying to redirect to /Account/Login which doesn't actually exist

[PeppeL-G]

I think your guess is correct. I disabled this behavior by adding the following code in Startup.ConfigureServices:

services.Configure<IdentityOptions>(o => {
    o.Cookies.ApplicationCookie.AutomaticChallenge = false;
});

[nbarbettini]

Good catch. It definitely should respond with 401, not 404.

I'll happily accept a PR unless I get to it first. 😄

[piotrek-k]

@PeppeL-G I'm afraid it doesn't work for me. What is exactly AutomaticChallenge and how it would fix this problem? Maybe creating a pull request fixing this in project is a good idea?

[PeppeL-G]

@piotrek-k, it's poorly documented, but I assume it means redirecting 401 responses (Not Authorized) to a login page (and if that login page doesn't exists, it returns a 404 (Not Found) instead). I imagine setting it to false will prevent this behavior.

I think you need to set it to false both in the code I posted before and in your TokenValidationParameters you use in JwtBearerOptions.

[piotrek-k]

I've changed AutomaticChallenge to false in both UseJwtBearerAuthentication and UseCookieAuthentication and when I test it in some http client (like Postman) it works.
I also wanted to test if this work when I use cookies for storing token. I created cookie called access_token with value eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJURVNUIiwianRpIjoiYThmNDQyN2UtMzkzMy00MDBkLTg3ZmQtODlkMWZiZDA1NzQ5IiwiaWF0IjoxNDcyNDYzMTAzLCJuYmYiOjE0NzI0NjMxMDMsImV4cCI6MTQ3MjQ2MzQwMywiaXNzIjoiRXhhbXBsZUlzc3VlciIsImF1ZCI6IkV4YW1wbGVBdWRpZW5jZSJ9.xhuq5vlCuFBCsO2SV_PZEhtUj9sndIx7o0oELhfyb_k. It didn't work, it says 401 unauthorized.

Is it me testing it wrong way, or something something is wrong with code?

Maybe @nbarbettini will know something.

[PeppeL-G]

Oh, I only needed to support the header version, so I've never tested cookies. I'm afraid I cant help you with that.