Custom AuthorizationHandler HandleRequirementAsync when context fails HC returns AUTH_NOT_AUTHENTICATED instead of AUTH_NOT_AUTHORIZED
cli00004 opened this issue · 2 comments
Product
Hot Chocolate
Version
14
Link to minimal reproduction
na
Steps to reproduce
I have a custom Authorization handler, and in HandleRequirementAsync, I have my custom authorization logic, when authorization fails, context.Fail() is called, standard asp.net process to handle authorization policy requirement. But when this happens, hotchocolate gives AUTH_NOT_AUTHENTICATED instead of AUTH_NOT_AUTHORIZED error code, in HC 13 it was returning AUTH_NOT_AUTHORIZED. This is about authorization not authentication, the user is already authenticated by the role does not pass the authorization policy to access the info. Does it sound like a bug or is it by design?
What is expected?
AUTH_NOT_AUTHORIZED should be returned when AuthorizationHandler fails the authrozation check, i.e. revert back to behaviour in HC 13
What is actually happening?
I have a custom Authorization handler, and in HandleRequirementAsync, I have my custom authorization logic, when authorization fails, context.Fail() is called, standard asp.net process to handle authorization policy requirement. But when this happens, hotchocolate gives AUTH_NOT_AUTHENTICATED instead of AUTH_NOT_AUTHORIZED error code, in HC 13 it was returning AUTH_NOT_AUTHORIZED. This is about authorization not authentication, the user is already authenticated by the role does not pass the authorization policy to access the info. Does it sound like a bug or is it by design?
Relevant log output
Additional context
No response
We need a repro for this.
Here's the handler,
public class GraphQlAuthorizationHandler : AuthorizationHandler<OpaRequirement, IResolverContext>
{
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
OpaRequirement requirement,
IResolverContext resource)
{
if (someCustomAuthorisationCheck == true)
context.Succeed((IAuthorizationRequirement) requirement);
else
context.Fail();
}
}