ChilliCream/graphql-platform

Custom AuthorizationHandler HandleRequirementAsync when context fails HC returns AUTH_NOT_AUTHENTICATED instead of AUTH_NOT_AUTHORIZED

cli00004 opened this issue · 2 comments

Product

Hot Chocolate

Version

14

Link to minimal reproduction

na

Steps to reproduce

I have a custom Authorization handler, and in HandleRequirementAsync, I have my custom authorization logic, when authorization fails, context.Fail() is called, standard asp.net process to handle authorization policy requirement. But when this happens, hotchocolate gives AUTH_NOT_AUTHENTICATED instead of AUTH_NOT_AUTHORIZED error code, in HC 13 it was returning AUTH_NOT_AUTHORIZED. This is about authorization not authentication, the user is already authenticated by the role does not pass the authorization policy to access the info. Does it sound like a bug or is it by design?

What is expected?

AUTH_NOT_AUTHORIZED should be returned when AuthorizationHandler fails the authrozation check, i.e. revert back to behaviour in HC 13

What is actually happening?

I have a custom Authorization handler, and in HandleRequirementAsync, I have my custom authorization logic, when authorization fails, context.Fail() is called, standard asp.net process to handle authorization policy requirement. But when this happens, hotchocolate gives AUTH_NOT_AUTHENTICATED instead of AUTH_NOT_AUTHORIZED error code, in HC 13 it was returning AUTH_NOT_AUTHORIZED. This is about authorization not authentication, the user is already authenticated by the role does not pass the authorization policy to access the info. Does it sound like a bug or is it by design?

Relevant log output

Additional context

No response

We need a repro for this.

Here's the handler,

public class GraphQlAuthorizationHandler : AuthorizationHandler<OpaRequirement, IResolverContext>
 {


   protected override async Task HandleRequirementAsync(
     AuthorizationHandlerContext context,
     OpaRequirement requirement,
     IResolverContext resource)
   {

       if (someCustomAuthorisationCheck == true)
         context.Succeed((IAuthorizationRequirement) requirement);
       else
         context.Fail();
   }
}