Add an AutomaticChallenge option to disable HttpSys from adding auth headers on 401 · dotnet/aspnetcore#5888

(10 comments) (0 reactions) (0 assignees)C# (37,933 stars) (10,653 forks)batch import

affected-very-fewarea-networkingenhancementfeature-httpsyshelp wantedseverity-nice-to-have

Description

Hi , I have a REST API appilcation hosted on HTTP.Sys with windows authetication option enabled . The REST API is protected by "Bearer" authentication scheme . Once the API invoked with invalid token the authentication scheme returns 401 with "WWW-Authenticate" "Bearer" header . Since application is hosted on HTTP.Sys the additional "WWW-Authenticate" "Negotiate" header has been added by AuthenticationManager of Http.Sys . The application uses windows authentication only in the user authentication endpoint . Is there a way to add windows authentication to specific route once hosted on http.sys ?

Contributor guide

Tech stack: csharp
Domain: backendapi
Issue type: feature
Difficulty: 3
Estimated time: 1-3 hours
Activity status: stale
Clarity: mostly clear
Prerequisites: Basic understanding of ASP.NET CoreHttpSys middlewareAuthentication schemes
Newbie friendliness: 40
Research direction: Investigate the HttpSys authentication middleware in the dotnet/aspnetcore repository, specifically the `ServerAuthenticationHandler` and `AuthenticationManager` classes. The requested feature is an `AutomaticChallenge` option to prevent the middleware from adding a 'WWW Authenticate: Negotiate' header on 401 responses when a bearer token fails. Look at the existing options in `WebHostBuilderHttpSysExtensions` and consider adding a property to `HttpSysOptions`. The change is likely localized to `src/HttpSys/src/` and should involve modifying the authentication handler to respect this option. Review any linked discussions or comments for additional context.