c# - 我是否必须检查 ApplyResponseChallengeAsync 中的响应状态？

Question

我写了一个相当基础的 AuthenticationHandler<T> 用于为我的 REST 服务执行自定义身份验证的派生类。

我曾假设(是的，我知道，这是个坏主意) ApplyResponseChallengeAsync 只有当我真的需要应用我的挑战时才会被调用——例如它被描述为:

Override this method to dela(sic) with 401 challenge concerns, if an authentication scheme in question deals an authentication interaction as part of it's request flow. (like adding a response header, or changing the 401 result to 302 of a login page or external sign-in location.)

在我看来，只有在发出 401 时才会调用它。但是，在一些有限的测试中，我们发现了一些异常情况，如下所示:

System.Web.HttpException (0x80004005): Server cannot append header after HTTP headers have been sent.
at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
at Microsoft.Owin.Host.SystemWeb.CallHeaders.AspNetResponseHeaders.Set(String key, String[] values)
at Microsoft.Owin.Infrastructure.OwinHelpers.AppendHeader(IDictionary`2 headers, String key, String values)
at OurAuthHandler.ApplyResponseChallengeAsync()
at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.<ApplyResponseCoreAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.<TeardownAsync>d__5.MoveNext()
--- And so on

因此，为了对此进行调查，我稍微更改了我们方法中的代码，以便我可以使用调试器来检查发生此异常的情况:

protected override Task ApplyResponseChallengeAsync()
{
    try
    {
        foreach (var uri in Options.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris)
        {
            Response.Headers.Append("WWW-Authenticate", "Bearer realm=\"" + uri + "\"");
        }
        return base.ApplyResponseChallengeAsync();
    }
    catch
    {
        throw; //Set a breakpoint here
    }
}

而且，你瞧，当我的断点被击中时，我看到 Response s 状态码为 200/OK。

问题

所以，问题是，我是否必须自己检查状态代码，是否有一些标志我必须在某处传递/设置以便仅在 401 时调用此方法，或者我是否遗漏了其他内容？

Answer 1

是的，你必须自己检查状态码。该文档具有误导性。

请注意 Katana project 中的每个现有 AuthenticationHandler还要检查状态代码:

public class OpenIdConnectAuthenticationHandler : AuthenticationHandler<OpenIdConnectAuthenticationOptions>
{
    ...
    protected override async Task ApplyResponseChallengeAsync()
    {
        if (Response.StatusCode == 401)
        {
            ....
        }
    }
    ...
}

---

internal class TwitterAuthenticationHandler : AuthenticationHandler<TwitterAuthenticationOptions>
{
    ...
    [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2202:Do not dispose objects multiple times", Justification = "MemoryStream.Dispose is idempotent")]
    protected override async Task ApplyResponseChallengeAsync()
    {
        if (Response.StatusCode != 401)
        {
            return;
        }
    }
    ...
}

---

public class WsFederationAuthenticationHandler : AuthenticationHandler<WsFederationAuthenticationOptions>
{
    ...
    protected override async Task ApplyResponseChallengeAsync()
    {
        if (Response.StatusCode == 401)
        {
            ...
        }
    }
    ...
}

我还检查了 Katana 项目的源代码:无法通过标志或其他方式更改此行为。