Skip to content

Support customizing RemoteAuthenticationHandler.ShouldHandleRequestAsync via event #64242

New issue
New issue
Open
Open
Support customizing RemoteAuthenticationHandler.ShouldHandleRequestAsync via event#64242
Labels
area-authIncludes: Authn, Authz, OAuth, OIDC, Bearer
@cfbao

Description

@cfbao
cfbao
opened on Nov 4, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I'd like to skip a RemoteAuthenticationHandler early (before it does any request processing) using custom logic.

Describe the solution you'd like

A new event on RemoteAuthenticationEvents ("OnCallback"? "OnRequestHandling"? another better name...?) where I can specify a Func<SomeContext, Task<bool>> (or similar) that'd be called by ShouldHandleRequestAsync to customize the logic for deciding when the auth handler should handle the request.

Additional context

We have a multi-tenant app where each tenant is tied to a unique hostname and a different IdP registration, hence each tenant has its own OIDC scheme.
Other than the hostname, each tenant's URLs should look basically the same, so the different OIDC handlers all have the same callback path.

For the most part, we have an "entrypoint" / "proxy" auth scheme that directs the current request to the appropriate auth scheme based on its host. However, the callback logic (i.e. HandleRequestAsync) cannot be proxied, because all auth handlers (that implement IAuthenticationRequestHandler) get to handle the request directly:

aspnetcore/src/Security/Authentication/Core/src/AuthenticationMiddleware.cs

Lines 48 to 57 in d32513d

// Give any IAuthenticationRequestHandler schemes a chance to handle the request
var handlers = context.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>();
foreach (var scheme in await Schemes.GetRequestHandlerSchemesAsync())
{
var handler = await handlers.GetHandlerAsync(context, scheme.Name) as IAuthenticationRequestHandler;
if (handler != null && await handler.HandleRequestAsync())
{
return;
}
}

We currently solve this problem by using the SkipUnrecognizedRequests in OIDC options.
However

  • this is inefficient because the wrong handlers are doing unnecessary processing of the request before being skipped
  • this is not ideal in terms of tenant separation - ideally the auth handler for a tenant wouldn't even look inside the request body of another tenant's request
  • the same approach doesn't work for OAuthHandler because OAuthEvents doesn't have a SkipUnrecognizedRequests

We can alternatively solve this problem by inheriting handlers like OpenIdConnectHandler and OAuthHandler, and override ShouldHandleRequestAsync(), but then we lose convenience methods like AddOpenIdConnect and AddOAuth, and the code structure is harder to understand (compared to using events)

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-authIncludes: Authn, Authz, OAuth, OIDC, Bearer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions