Skip to content

Invalid Issuer should response 500 instead of 401 in dotnet 8 Microsoft.AspNetCore.Authentication.JwtBearer  #53692

New issue
New issue
Open
Bug
Open
Invalid Issuer should response 500 instead of 401 in dotnet 8 Microsoft.AspNetCore.Authentication.JwtBearer #53692
Bug
Labels
area-securitybugThis issue describes a behavior which is not expected - a bug.
Milestone
Backlog
@ShineSmile

Description

@ShineSmile
ShineSmile
opened on Jan 29, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Microsoft.AspNetCore.Authentication.JwtBearer version 8.0.1

Invalid Issuer should response 500 instead of 401 as before. Invalid Issuer is server-side issue. Response 401 and add comments in header may confuse client-side user who request with valid token.

image image image image

Expected Behavior

Invalid Issuer is service side issue so response 500 is expected. The server lost token validate function does not mean user credential is incorrect.

Steps To Reproduce

builder.Services.AddAuthentication("Bearer")
                .AddJwtBearer("Bearer", config =>
                {
                    config.Authority = "https://authority.host";
                    config.Audience = "audience-here";

                    config.SaveToken = true;
                });

set up Web API project and request with valid token. Disconnect all network connection to Authority.
I have test 3.1, 6, 7, 8 and only response code 401 received in dotnet 8.

Exceptions (if any)

No response

.NET Version

8.0.101

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-securitybugThis issue describes a behavior which is not expected - a bug.

    Type

    Bug

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions