Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
I have a class library project that implements Certificate Authentication EXACTLY as it is described at https://learn.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-8.0. Unfortunately, when my custom authentication handler returns context.Fail(message), it is ignored and certificate authentication passes based soley on basic certificate property and chain checks. I want to limit the specific certificates that can be used, so my custom authentication handler checks the certificate supplied against a list of valid certificates that can be authenticated. This is done by looking at the subject and issuer combination. The logic in my handler is flawless. The problem is that the caller is not respecting the failure status I am sending back.
Expected Behavior
When context.Fail("Failure reason") is called (with a null Principle), then I expect access to the authenitcating API to be denied completely.
Steps To Reproduce
I have a GitHub public repository at https://github.com/matthew-hamilton-sedgwick/Corp.Solution.CertificateAuthentication with an example API and web application. The validation service is currently set to always return false, so context.Fail("Failure reason") will always get called not that it makes a difference. I have written this i ssue out over twenty times with not a single response except to write to over again somewhere else. Lol. Hopefully it actually gets some attention here because this is a big security flaw for us and .NET. Thank you!
Exceptions (if any)
No exceptions encountered.
.NET Version
8.0.410
Anything else?
ASP.NET Core version 6-8 currently experience the issue. 9.0 and 10.0 may also be affected. I have not tested them.