AuthenticateAsync for remote auth providers
Remote authentication providers like OpenIdConnect, WsFederation, and OAuth have been updated to avoid unnecessary errors when there's no user information available on the request.
Version introduced
.NET 7
Previous behavior
Previously, when AuthenticateAsync was called on a remote authentication provider and there was no current user, the call failed with a message similar to OpenIdConnect was not authenticated. Failure message: Not authenticated.
New behavior
Starting in .NET 7, AuthenticateAsync returns AuthenticateResult.NoResult(), an anonymous identity.
Type of breaking change
This change can affect binary compatibility.
Reason for change
The previous behavior:
- Was inconsistent with
CookieandNegotiateauthentication, which return AuthenticateResult.NoResult(). - Caused excess failure logs, especially if the remote authentication handler was set as the default handler and invoked per request.
Recommended action
If you have code that directly invokes AuthenticateAsync, check it to ensure it properly handles AuthenticateResult.NoResult() and anonymous or empty ClaimsIdentity instances.
