DefaultAuthorizationHandler does not use policy-bound authentication schemes

[HerringTheCoder]

Is there an existing issue for this?

• I have searched the existing issues

Product

Hot Chocolate

Describe the bug

In my project I've configured two custom auth schemes, one that requires ApiKey, and the second one that requires both ApiKey and Bearer JWT provided (let's call it "BearerWithApiKey"), then I control allowed schemes using Policies.
Both were registered using Microsoft's AddScheme<Options, Handler>() method with UseAuthentication() with no default scheme provided, because these are configured explicitly on each policy.
Repro shows the general configuration process.

While it works perfectly fine for standard .NET HTTP requests, HotChocolate seems unable to determine Authentication Scheme based purely on policy and its attached Authentication Schemes, instead it seems to only pick up the AddAuthentication("DefaultSchemeHere") from Program.cs, otherwise it just fails to authenticate the user.

What I've tried, but failed to make it work:

1. Adding default authentication scheme in .NET AddAuthentication("BearerWithApiKey"), which is the most restrictive authorization scheme and then count on policies configuration to overwrite the schemes available when necessary. Works for .NET HTTP requests, but then HotChocolate will pick up only the default scheme, ignoring any authentication schemes attached to policies even when policy is specified using Authorize attribute.
2. Using custom HttpRequestInterceptor as mentioned by @michaelstaib here: Unable to use different authentication schemes for different queries #5792
   There is not enough data in HttpContext, RequestExecutor or Builder to determine Policy and/or Scheme that is bound to current context.
   Maybe applying custom directives and then mapping them to auth schemes would yield some results, but somehow it seems like a hacky way to do things and it requires more maintenance, assuming I could properly find and match the directives in IRequestExecutor.Schema.Directives.

Potential solutions:

1. What I finally did was creating my custom HotChocolate Authorization Handler and instead of using IPolicyProvider + IAuthorizationService I've used IPolicyProvider + IPolicyEvaluator and calling both its Authenticate, then Authorize methods.
   While it mixes both Authentication and Authorization processes, that way I can still use Authorization schemes divided per Policy.

The code below is a POC representation of the idea:

public async ValueTask<AuthorizeResult> AuthorizeAsync(AuthorizationContext context,
        IReadOnlyList<AuthorizeDirective> directives,
        CancellationToken cancellationToken = new CancellationToken())
    {
        var httpContext = context.Services.GetRequiredService<IHttpContextAccessor>().HttpContext;
        var lastAuthorizeResult = AuthorizeResult.NotAuthenticated;

        foreach (var directive in directives)
        {
            var policy = await _policyProvider.GetPolicyAsync(directive.Policy!);
            if (policy is null)
            {
                return AuthorizeResult.PolicyNotFound;
            }

            var authenticateResult = await _policyEvaluator.AuthenticateAsync(policy, httpContext!);
            var authorizeResult = await _policyEvaluator.AuthorizeAsync(policy, authenticateResult, httpContext!, null!);

            lastAuthorizeResult = authorizeResult switch
            {
                { Succeeded: true } => AuthorizeResult.Allowed,
                { Succeeded: false, Challenged: true } => AuthorizeResult.NotAuthenticated,
                { Succeeded: false, Forbidden: true } => AuthorizeResult.NotAllowed,
                _ => throw new ArgumentOutOfRangeException(nameof(authorizeResult))
            };
        }

        return lastAuthorizeResult;
    }

2. In standard Microsoft.AspNetCore.Authorization.AuthorizeAttribute this could be circumvented by specyfing authorization scheme explicitly, but HotChocolate.Authorization.AuthorizeAttribute does not provide the ability to do so.

I've provided some example code in repro, let me know if full example project is necessary to evaluate the problem.

Steps to reproduce

1. Add .NET Authentication like this:

services.AddAuthentication() //No default authorization scheme provided
            .AddScheme<SchemeOneOptions, SchemeOneAuthenticationHandler("SchemeOne", options => { })
            .AddScheme<SchemeTwoOptions, SchemeTwoAuthenticationHandler>("SchemeTwo", options => { });

2. Add .NET Authorization and policies that have AuthenticationSchemes configured (required, because there is no default scheme. It will throw exception on request otheriwse) :

services.AddAuthorization(options =>
        {
            options.AddPolicy("SchemeOneAdminPolicy", policy =>
                    policy.AddAuthenticationSchemes("SchemeOne").RequireClaim(ClaimTypes.Role, "Admin");
                                            
            options.AddPolicy("SchemeTwoAdminPolicy", policy =>
                        policy.AddAuthenticationSchemes("SchemeOne").RequireClaim(ClaimTypes.Role, "User");
                        
            options.AddPolicy("SchemeTwoAdminPolicy", policy =>
                    policy.AddAuthenticationSchemes("SchemeOne").RequireClaim(ClaimTypes.Role, "Admin")
            );

3. Add GraphQL services:

services.AddGraphQLServer()
            .AddAuthorization()
            .AddProjections()
            .AddFiltering(x => x.AddDefaults().BindRuntimeType<uint, UnsignedIntOperationFilterInputType>())
            .AddSorting()
            .AddDefaultTransactionScopeHandler()
            .AddMutationType<Mutation>()
            .AddQueryType<Query>()
            .InitializeOnStartup();

Execute a request with any policy specified:

[Authorize(Policy = "SchemeOneAdminPolicy")]
[Authorize(Policy = "SchemeTwoAdminPolicy")]

Scheme-specific handlers will never run and standard 401 HotChocolate response occurs:

{
    "errors": [
        {
            "message": "The current user is not authorized to access this resource.",
            "extensions": {
                "code": "AUTH_NOT_AUTHORIZED"
            }
        }
    ]
}

Relevant log output

No response

Additional Context?

No response

Version

13.0.5, 13.4.0

[HerringTheCoder]

I've just tried updating HotChocolate version up to 13.4.0.
The only difference I've noticed is that when there is no default auth scheme provided in AddAuthorization("defaultScheme"), the authorization does not happen at all and allows user access instead of failing prematurely.
Policy-specific schemes are still ignored.

[6k-inetum]

Hello,
I've exactly the same problem, does a correction is planned ? It's very important and can be a blocker for our production :-/.
@HerringTheCoder : I've found a way to do this without using Authorize attribute and enabling .RequireAuthorization(); in startup configuration. But you lose the ability to change policy only for one endpoint.

Thank you in advance for the response