Revisit the OIDC/OAuth2 bearer middleware to stop re-throwing exceptions for invalid tokens

[kevinchalet]

By default, both the OIDC and the OAuth2 bearer middleware throw a bunch of security exceptions when a token is invalid. These exceptions are caught but the catch handler always re-throw them if you don't override the AuthenticationFailed notification and explicitly call HandleResponse() or SkipToNextMiddleware(), which is - obviously - a very bad thing, as you don't want to get a 500 response - or worse, an error page - for an invalid token.

In this case, 401 is the only response you want: https://tools.ietf.org/html/rfc6750#section-3.1

[Tratcher]

RE: #55

[kevinchalet]

Alzheimer... 😱

Let's close this one then 😄

[kevinchalet]

Reopening this issue, since the bearer middleware still needs to be reworked to avoid throwing exceptions for invalid tokens, despite #55 now being fixed.

/cc @HaoK

[kevinchalet]

Any chance we could prioritize this item?

[Tratcher]

I'd rather get a TryValidateToken from IdentityModel. @brentschmaltz?

[muratg]

@brentschmaltz can we stop throwing and return false?

[HaoK]

Please file an issue

[kevinchalet]

I agree that such a method would be useful, but in the meantime, the bearer middleware MUST be fixed to catch the validation exceptions thrown by IdentityModel, specially since we can no longer work around this limitation due to this other bug: #555

And BTW, this behavior is not specific to the bearer middleware: SecureDataFormat also catches the exceptions thrown by the data protection block instead of using a Try* method: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNet.Authentication/DataHandler/SecureDataFormat.cs#L75