aspnetcore
aspnetcore copied to clipboard
dotnet
API Certificate Authentication Does Not Respect context.Fail("Failure reason"), always returns success.
Is there an existing issue for this?
- [x] I have searched the existing issues
Describe the bug
I have a class library project that implements Certificate Authentication EXACTLY as it is described at https://learn.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-8.0. Unfortunately, when my custom authentication handler returns context.Fail(message), it is ignored and certificate authentication passes based soley on basic certificate property and chain checks. I want to limit the specific certificates that can be used, so my custom authentication handler checks the certificate supplied against a list of valid certificates that can be authenticated. This is done by looking at the subject and issuer combination. The logic in my handler is flawless. The problem is that the caller is not respecting the failure status I am sending back.
Expected Behavior
When context.Fail("Failure reason") is called (with a null Principle), then I expect access to the authenitcating API to be denied completely.
Steps To Reproduce
I have a GitHub public repository at https://github.com/matthew-hamilton-sedgwick/Corp.Solution.CertificateAuthentication with an example API and web application. The validation service is currently set to always return false, so context.Fail("Failure reason") will always get called not that it makes a difference. I have written this i ssue out over twenty times with not a single response except to write to over again somewhere else. Lol. Hopefully it actually gets some attention here because this is a big security flaw for us and .NET. Thank you!
Exceptions (if any)
No exceptions encountered.
.NET Version
8.0.410
Anything else?
ASP.NET Core version 6-8 currently experience the issue. 9.0 and 10.0 may also be affected. I have not tested them.
Thanks for reaching out, @matthew-hamilton-sedgwick.
Are you expecting all requests to require authorization? If so, could you please try setting a fallback policy as shown in the docs on configuring a fallback policy and let us know if this helps resolve the issue?
Adding the fallback policy for authorization fixed my issue! I always get confused about this being an authorization concern rather than an authentication concern. Thank you!
Mat Hamilton | Software Engineer 567.330.8833 | @.@.>
***@***.***
@.@.
From: Mackinnon Buck @.> Sent: Monday, June 16, 2025 12:43 PM To: dotnet/aspnetcore @.> Cc: Hamilton, Matthew @.>; Mention @.> Subject: Re: [dotnet/aspnetcore] API Certificate Authentication Does Not Respect context.Fail("Failure reason"), always returns success. (Issue #62318)
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe... [https://avatars.githubusercontent.com/u/10456961?s=20&v=4]MackinnonBuck left a comment (dotnet/aspnetcore#62318)https://github.com/dotnet/aspnetcore/issues/62318#issuecomment-2977323923
Thanks for reaching out, @matthew-hamilton-sedgwickhttps://github.com/matthew-hamilton-sedgwick.
Are you expecting all requests to require authorization? If so, could you please try setting a fallback policy as shown in the docs on configuring a fallback policyhttps://learn.microsoft.com/aspnet/core/security/authorization/secure-data?view=aspnetcore-9.0#require-authenticated-users and let us know if this helps resolve the issue?
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/aspnetcore/issues/62318#issuecomment-2977323923, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BHSCKPZZBTLVQULXOABOH7T3D3XXPAVCNFSM6AAAAAB7DOYPRCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSNZXGMZDGOJSGM. You are receiving this because you were mentioned.Message ID: @.@.>>
Any personal data acquired, processed or shared by us will be lawfully processed in line with applicable data protection legislation. If you have any questions regarding how we process personal data refer to our Privacy Notice. https://www.sedgwick.com/global-privacy-policy Any communication including this email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains and you must notify us immediately (contact is within the privacy policy) and delete the message from your system.