AuthenticationHandler error AuthenticationScheme: Bearer was forbidden

Question

I'm making a small service using ASP.NET Core. The first complicated thing I'm facing now is to authenticate an user into my system.

Let me introduce about my authentication flow:

+)Client -> call (api/account/authorize) -> System check whether client is valid or not -> Send token back to client as him/her is valid.

+) Client -> uses the obtained token -> requests to api/account/filter -> Service validates the token and throw the information back.

I've read some tutorials about JWT, but the response doesn't include enough information as I need. I want :

• Throw 401 and a message describes that status code , i.e: "ACCOUNT_DISABLED", "ACCOUNT_PENDING", "ACCOUNT_PERMISSION_INSUFFICIENT", ... not just 401.

Therfore, I implemented my own Authenticate validator:

public class BearerAuthenticationHandler : AuthenticationHandler<BearerAuthenticationOption>
{
    #region Properties

    /// <summary>
    /// Inject dependency service into the handler.
    /// </summary>
    private readonly JwtTokenSetting _encryptionSetting;

    /// <summary>
    /// Inject dependency service into the handler.
    /// </summary>
    private readonly IEncryptionService _encryptionService;

    /// <summary>
    /// Inject time service to handler.
    /// </summary>
    private readonly ITimeService _timeService;

    private readonly IRepositoryAccount _repositoryAccount;

    #endregion

    #region Constructors

    /// <summary>
    /// Initialize an instance of handler with specific dependency injections.
    /// </summary>
    /// <param name="encryptionSetting"></param>
    /// <param name="encryptionService"></param>
    /// <param name="timeService"></param>
    /// <param name="repositoryAccount"></param>
    public BearerAuthenticationHandler(JwtTokenSetting encryptionSetting, IEncryptionService encryptionService, ITimeService timeService, IRepositoryAccount repositoryAccount)
    {
        _encryptionSetting = encryptionSetting;
        _encryptionService = encryptionService;
        _timeService = timeService;
        _repositoryAccount = repositoryAccount;
    }

    #endregion

    #region Methods

    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        #region Token analyzation

        // Find the authorization key in request.
        var authorizationKey =
            Request.Headers.Keys.FirstOrDefault(x => x.Equals("authorization", StringComparison.OrdinalIgnoreCase));

        // Authorization key is not found in the request.
        if (string.IsNullOrWhiteSpace(authorizationKey))
            return AuthenticateResult.Fail("No authorization is found in request header.");

        // Find the token in Authorization.
        var authorizationValue = Request.Headers[authorizationKey].ToString();

        // Authentication scheme prefix.
        var authenticationScheme = $"{Options.AuthenticationScheme} ";

        // No token has been specified.
        if (string.IsNullOrWhiteSpace(authorizationValue) || !authorizationValue.StartsWith(authenticationScheme, StringComparison.OrdinalIgnoreCase))
            return AuthenticateResult.Fail("No bearer token is found in request header.");

        // Cut the string to obtain bearer token.
        var accessToken = authorizationValue.Substring(authenticationScheme.Length);

        #endregion

        #region Token validation

        // Decrypt the token.
        var tokenDetailViewModel = _encryptionService.Decrypt<TokenDetailViewModel>(accessToken, _encryptionSetting.Key);

        // No detail has been found.
        if (tokenDetailViewModel == null)
        {
            InitializeHttpResponse(Response, HttpStatusCode.Unauthorized, new HttpResponseViewModel
            {
                Message = "TOKEN_INVALID"
            });

            return AuthenticateResult.Fail("Token is invalid");
        }

        // Find the current unix time on server.
        var unixTime = _timeService.UtcToUnix(DateTime.UtcNow);

        // Token is expired.
        if (unixTime > tokenDetailViewModel.Expire)
        {
            InitializeHttpResponse(Response, HttpStatusCode.Unauthorized, new HttpResponseViewModel
            {
                Message = "TOKEN_EXPIRED"
            });

            return AuthenticateResult.Fail("Token is expired");
        }

        // Account filter construction.
        var filterAccountViewModel = new FilterAccountViewModel
        {
            Email = tokenDetailViewModel.Email,
            EmailComparison = TextComparision.Equal,
            Password = tokenDetailViewModel.Password,
            PasswordComparision = TextComparision.EqualIgnoreCase,
            Statuses = new[] { AccountStatus.Active }
        };

        // Find the first condition statisfied account in the database.
        var account = await _repositoryAccount.FindAccountAsync(filterAccountViewModel);

        // Account cannot be found in the database.
        if (account == null)
        {
            InitializeHttpResponse(Response, HttpStatusCode.Unauthorized, new HttpResponseViewModel
            {
                Message = "ACCOUNT_INVALID"
            });
            return AuthenticateResult.Fail("Account is invalid");
        }

        #endregion

        var claimsIdentity = new ClaimsIdentity();
        claimsIdentity.AddClaim(new Claim(nameof(JwtClaim.Email), account.Email));
        claimsIdentity.AddClaim(new Claim(nameof(JwtClaim.Status), nameof(account.Status)));

        // Update user into context.
        var claimPrincipal = new ClaimsPrincipal(claimsIdentity);

        // Initialize an authentication ticket.
        var authenticationTicket = new AuthenticationTicket(claimPrincipal, new AuthenticationProperties
        {
            AllowRefresh = true,
            ExpiresUtc = DateTime.UtcNow.AddMinutes(30),
            IsPersistent = true,
            IssuedUtc = DateTime.UtcNow
        }, "Bearer");

        return AuthenticateResult.Success(authenticationTicket);
    }

    /// <summary>
    /// Initialize an application/json response.
    /// </summary>
    /// <param name="httpResponse"></param>
    /// <param name="httpStatusCode"></param>
    /// <param name="httpResponseViewModel"></param>
    private void InitializeHttpResponse(HttpResponse httpResponse, HttpStatusCode httpStatusCode, HttpResponseViewModel httpResponseViewModel)
    {
        // Response must be always application/json.
        httpResponse.ContentType = "application/json";
        httpResponse.StatusCode = (int)httpStatusCode;

        if (httpResponseViewModel == null)
            return;

        using (var streamWriter = new StreamWriter(httpResponse.Body))
        {
            streamWriter.AutoFlush = true;
            streamWriter.WriteLineAsync(JsonConvert.SerializeObject(httpResponseViewModel));
        }
    }

    #endregion
}

Here is my AccountController:

[Route("api/[controller]")]
public class AccountController : Controller
{
    private readonly IRepositoryAccount _repositoryAccount;

    private readonly IEncryptionService _encryptionService;

    private readonly ITimeService _timeService;

    private readonly JwtTokenSetting _jwtTokenSetting;

    public AccountController(IRepositoryAccount repositoryAccount, IEncryptionService encryptionService, ITimeService timeService,
        IOptions<JwtTokenSetting> jwtTokenSetting)
    {
        _repositoryAccount = repositoryAccount;
        _encryptionService = encryptionService;
        _timeService = timeService;
        _jwtTokenSetting = jwtTokenSetting.Value;
    }

    [HttpPost("authorize")]
    [AllowAnonymous]
    public async Task<IActionResult> Authorize([FromBody] LoginViewModel loginViewModel)
    {
        // Find the encrypted password of login information.
        var filterAccountViewModel = new FilterAccountViewModel();
        filterAccountViewModel.Email = loginViewModel.Email;
        filterAccountViewModel.EmailComparison = TextComparision.Equal;
        filterAccountViewModel.Password = _encryptionService.FindEncryptPassword(loginViewModel.Password);
        filterAccountViewModel.PasswordComparision = TextComparision.EqualIgnoreCase;
        filterAccountViewModel.Statuses = new[] {AccountStatus.Active};

        // Initialize HttpResponseViewModel.
        var httpResponseViewModel = new HttpResponseViewModel();

        // Find the account.
        var account = await _repositoryAccount.FindAccountAsync(filterAccountViewModel);

        // Account is not found.
        if (account == null)
        {
            Response.ContentType = "application/json";
            using (var streamWriter = new StreamWriter(Response.Body))
            {
                httpResponseViewModel.Message = "ACCOUNT_INVALID";
                await streamWriter.WriteLineAsync(JsonConvert.SerializeObject(httpResponseViewModel));
            }

            return new UnauthorizedResult();
        }

        // Initialize token detail.
        var tokenDetailViewModel = new TokenDetailViewModel
        {
            Email = loginViewModel.Email,
            Password = filterAccountViewModel.Password,
            Expire = _timeService.UtcToUnix(DateTime.UtcNow.AddSeconds(_jwtTokenSetting.Expire))
        };

        // Initialize token information and throw to client for their future use.
        var tokenGeneralViewModel = new TokenGeneralViewModel
        {
            AccessToken = _encryptionService.Encrypt(tokenDetailViewModel, _jwtTokenSetting.Key),
            Expire = _jwtTokenSetting.Expire
        };

        return Ok(tokenGeneralViewModel);
    }


    [HttpPost("filter")]
    [Authorize(ActiveAuthenticationSchemes = "Bearer")]
    public IEnumerable<string> FindAllAccounts()
    {
        Response.StatusCode = (int)HttpStatusCode.Accepted;
        return new[] { "1", "2", "3", "4" };
    }
}

When I use the token generated by api/account/authorize to access api/account/filter. An error was thrown to me :

AuthenticationScheme: Bearer was forbidden

Can anyone please tell me why ? Is my implementation the best approach or not ?

Thank you,

Answer 1

Is my implementation the best approach or not ?

I wouldn't do this as you implemented. Because(1 and 3 are just my opinions)

1. ACCOUNT_DISABLED, ACCOUNT_PENDING, ACCOUNT_PERMISSION_INSUFFICIENT this statuses doesn't mean that user has to retype its cridentials.
2. Even if i want to use 401 with a message, before creating my own handler implementation, i would consider using jwt bearer events. OnChallenge event seems good to do this(See this answer how to implement).
3. I think your requirement is related with authorization rather than authentication. So writing a policy would be better.

To use policy i don't know simple implementation, but here is my attempt:

Authorization Handler:

public class CheckUserRequirement : IAuthorizationRequirement
{
}
public class CheckUserAuthorizationHandler : AuthorizationHandler<CheckUserRequirement>
{
    private readonly IHttpContextAccessor _accessor;
    public SimpleAuthorizationHandler(IHttpContextAccessor accessor)
    {
        _accessor = accessor;
    }
    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, SimpleRequirement requirement)
    {
        if(account.isDisabled)
        {
           _accessor.HttpContext.Response.Headers.Add("error_code", "ACCOUNT_DISABLED");
        }
        //...
        context.Succeed(requirement);
    }
}  

ConfigureServices:

        services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
        services.AddScoped<IAuthorizationHandler, CheckUserAuthorizationHandler>();
        services.AddAuthorization(options =>
        {
            options.AddPolicy("CheckUser", policy => { policy.AddRequirements(new CheckUserRequirement()); });
        });

And use it:

[Authorize(Policy = "CheckUser")]
public class SomeController 

Edit

I had suggested OnChallenge event, but i realized that it is not suitable for your case. See my another answer