Return the auth challenge in the WWW-Authenticate header on authentication failure

Author: KeesV

src/Ocelot/Authentication/Middleware/AuthenticationMiddleware.cs

@@ -43,6 +43,15 @@ public async Task Invoke(HttpContext httpContext)
 
                     Logger.LogWarning($"Client has NOT been authenticated for {httpContext.Request.Path} and pipeline error set. {error}");
 
+                    // Perform a challenge. This populates the WWW-Authenticate header on the response
+                    await httpContext.ChallengeAsync(downstreamRoute.AuthenticationOptions.AuthenticationProviderKey);
+                    
+                    // Since the response gets re-created down the pipeline, we store the challenge in the Items, so we can re-apply it when sending the response
+                    if (httpContext.Response.Headers.TryGetValue("WWW-Authenticate", out var authenticateHeader))
+                    {
+                        httpContext.Items.SetAuthChallenge(authenticateHeader);
+                    }
+                    
                     httpContext.Items.SetError(error);
                 }
             }

src/Ocelot/Middleware/HttpItemsExtensions.cs

@@ -45,6 +45,12 @@ public static void SetError(this IDictionary<object, object> input, Error error)
             input.Upsert("Errors", errors);
         }
 
+        public static void SetAuthChallenge(this IDictionary<object, object> input, string challengeString) =>
+            input.Upsert("AuthChallenge", challengeString);
+
+        public static string AuthChallenge(this IDictionary<object, object> input) =>
+            input.Get<string>("AuthChallenge");
+        
         public static void SetIInternalConfiguration(this IDictionary<object, object> input, IInternalConfiguration config)
         {
             input.Upsert("IInternalConfiguration", config);

src/Ocelot/Multiplexer/MultiplexingMiddleware.cs

@@ -210,6 +210,8 @@ private void MapNotAggregate(HttpContext httpContext, List<HttpContext> downstre
             httpContext.Items.UpsertDownstreamRequest(finished.Items.DownstreamRequest());
 
             httpContext.Items.UpsertDownstreamResponse(finished.Items.DownstreamResponse());
+            
+            httpContext.Items.SetAuthChallenge(finished.Items.AuthChallenge());
         }
 
         private async Task<HttpContext> Fire(HttpContext httpContext, RequestDelegate next)

src/Ocelot/Responder/HttpContextResponder.cs

@@ -85,6 +85,11 @@ public async Task SetErrorResponseOnContext(HttpContext context, DownstreamRespo
             }
         }
 
+        public void SetAuthChallengeOnContext(HttpContext context, string challenge)
+        {
+            AddHeaderIfDoesntExist(context, new Header("WWW-Authenticate", new [] { challenge }));
+        }
+        
         private void SetStatusCode(HttpContext context, int statusCode)
         {
             if (!context.Response.HasStarted)

src/Ocelot/Responder/IHttpResponder.cs

@@ -1,15 +1,17 @@
-namespace Ocelot.Responder
+namespace Ocelot.Responder
 {
     using Microsoft.AspNetCore.Http;
     using Ocelot.Middleware;
-    using System.Threading.Tasks;
+    using System.Threading.Tasks;
+
+    public interface IHttpResponder
+    {
+        Task SetResponseOnHttpContext(HttpContext context, DownstreamResponse response);
 
-    public interface IHttpResponder
-    {
-        Task SetResponseOnHttpContext(HttpContext context, DownstreamResponse response);
-
         void SetErrorResponseOnContext(HttpContext context, int statusCode);
 
-        Task SetErrorResponseOnContext(HttpContext context, DownstreamResponse response);
-    }
+        Task SetErrorResponseOnContext(HttpContext context, DownstreamResponse response);
+        
+        void SetAuthChallengeOnContext(HttpContext context, string challenge);
+    }
 }

src/Ocelot/Responder/Middleware/ResponderMiddleware.cs

@@ -64,6 +64,15 @@ private void SetErrorResponse(HttpContext context, List<Error> errors)
                 var downstreamResponse = context.Items.DownstreamResponse();
                 _responder.SetErrorResponseOnContext(context, downstreamResponse);
             }
+            
+            if (errors.Any(e => e.Code == OcelotErrorCode.UnauthenticatedError))
+            {
+                var challenge = context.Items.AuthChallenge();
+                if (!string.IsNullOrEmpty(challenge))
+                {
+                    _responder.SetAuthChallengeOnContext(context, challenge);
+                }
+            }
         }
     }
 }

test/Ocelot.AcceptanceTests/AuthenticationTests.cs

@@ -256,6 +256,46 @@ public void should_return_201_using_identity_server_reference_token()
                 .BDDfy();
         }
 
+        [Fact]
+        public void should_return_www_authenticate_header_on_401()
+        {
+            int port = RandomPortFinder.GetRandomPort();
+
+            var configuration = new FileConfiguration
+            {
+                Routes = new List<FileRoute>
+                {
+                    new FileRoute
+                    {
+                        DownstreamPathTemplate = _downstreamServicePath,
+                        DownstreamHostAndPorts = new List<FileHostAndPort>
+                        {
+                            new FileHostAndPort
+                            {
+                                Host =_downstreamServiceHost,
+                                Port = port,
+                            },
+                        },
+                        DownstreamScheme = _downstreamServiceScheme,
+                        UpstreamPathTemplate = "/",
+                        UpstreamHttpMethod = new List<string> { "Get" },
+                        AuthenticationOptions = new FileAuthenticationOptions
+                        {
+                            AuthenticationProviderKey = "Test",
+                        },
+                    },
+                },
+            };
+            
+            this.Given(x => _steps.GivenThereIsAConfiguration(configuration))
+                .And(x => _steps.GivenOcelotIsRunningWithJwtAuth("Test"))
+                .And(x => _steps.GivenIHaveNoTokenForMyRequest())
+                .When(x => _steps.WhenIGetUrlOnTheApiGateway("/"))
+                .Then(x => _steps.ThenTheStatusCodeShouldBe(HttpStatusCode.Unauthorized))
+                .And(x => _steps.ThenTheResponseShouldContainAuthChallenge())
+                .BDDfy();
+        }
+        
         private void GivenThereIsAServiceRunningOn(string url, int statusCode, string responseBody)
         {
             _serviceHandler.GivenThereIsAServiceRunningOn(url, async context =>

test/Ocelot.AcceptanceTests/Steps.cs

@@ -798,11 +798,57 @@ public void GivenOcelotIsRunning(OcelotPipelineConfiguration ocelotPipelineConfi
 
             _ocelotClient = _ocelotServer.CreateClient();
         }
+        
+        /// <summary>
+        /// This is annoying cos it should be in the constructor but we need to set up the file before calling startup so its a step.
+        /// </summary>
+        public void GivenOcelotIsRunningWithJwtAuth(string authenticationProviderKey)
+        {
+            var builder = new ConfigurationBuilder()
+                .SetBasePath(Directory.GetCurrentDirectory())
+                .AddJsonFile("appsettings.json", optional: true, reloadOnChange: false)
+                .AddJsonFile("ocelot.json", false, false)
+                .AddEnvironmentVariables();
+
+            var configuration = builder.Build();
+            _webHostBuilder = new WebHostBuilder();
+            _webHostBuilder.ConfigureServices(s =>
+            {
+                s.AddSingleton(_webHostBuilder);
+            });
+
+            _ocelotServer = new TestServer(_webHostBuilder
+                .UseConfiguration(configuration)
+                .ConfigureServices(s =>
+                {
+                    s.AddAuthentication().AddJwtBearer(authenticationProviderKey, options =>
+                    {
+
+                    });
+                    s.AddOcelot(configuration);
+                })
+                .ConfigureLogging(l =>
+                {
+                    l.AddConsole();
+                    l.AddDebug();
+                })
+                .Configure(a =>
+                {
+                    a.UseOcelot().Wait();
+                }));
+
+            _ocelotClient = _ocelotServer.CreateClient();
+        }
 
         public void GivenIHaveAddedATokenToMyRequest()
         {
             _ocelotClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", _token.AccessToken);
         }
+        
+        public void GivenIHaveNoTokenForMyRequest()
+        {
+            _ocelotClient.DefaultRequestHeaders.Authorization = null;
+        }
 
         public void GivenIHaveAToken(string url)
         {
@@ -1083,6 +1129,12 @@ public void ThenTheStatusCodeShouldBe(HttpStatusCode expectedHttpStatusCode)
             _response.StatusCode.ShouldBe(expectedHttpStatusCode);
         }
 
+        public void ThenTheResponseShouldContainAuthChallenge()
+        {
+            _response.Headers.TryGetValues("WWW-Authenticate", out var headerValue).ShouldBeTrue();
+            headerValue.ShouldNotBeEmpty();
+        }
+        
         public void ThenTheStatusCodeShouldBe(int expectedHttpStatusCode)
         {
             var responseStatusCode = (int)_response.StatusCode;