I am implementing a mixed authentication mode for my ASP.NET Core 6.0 Web API / website. Assuming enabled in the config, the initiator of the HTTP request is free to choose between Basic (for machine clients) and challenge-based authentication (for human users) and we dynamically select the right AuthenticationHandler based on the authentication header of the HTTP request.
The user visits the Login page, fills the credentials, clicks "Login".
The dynamic selection of challenge-based handler and the authentication works fine. The issue appears later down in the request pipeline. Should my authentication handler return AuthenticationResult.Success(ticket), then map the request to the /Login page fails, the Login.OnPost() method never gets hit, the HTTP StatusCode is set to 400.
The interesting part is, that should my authentication handler return AuthenticationResult.Failed(), then routing to the Login.OnPost() succeeds.
I built custom middleware that I injected every single place in the request pipeline to watch when the StatusCode flips from 200 to 400. It happens at the very bottom after the last delegate (which is app.UseEndpoints(endpoints => endpoints.MapRazorPages())
I have hardcoded returning AuthenticationResult.Failed() and Authentication.Success() in my custom authentication handler to exclude any other factors from the client side.