The LoggingOptions.UnhandledExceptionLoggingFilter is not just filtering logs, but swallows whole exceptions

[aomader]

In a standard ASP.NET Core setup, one normally already has exception logging etc. in place. Hence, we want to silence the implicit "exception handler middleware" that the IdentityServer has built-in.

...
catch (Exception ex) when (options.Logging.InvokeUnhandledExceptionLoggingFilter(context, ex) is not false)
{
    await events.RaiseAsync(new UnhandledExceptionEvent(ex));
    Telemetry.Metrics.UnHandledException(ex);
    _sanitizedLogger.LogCritical(ex, "Unhandled exception: {exception}", ex.Message);

    throw;
}
...

Sadly, the customization option provided via LoggingOptions.UnhandledExceptionLoggingFilter has one big drawback: it not only silences logging, but also stops the exception from bubbling, and more dangerously, continuous running the middleware chain if "logging" is filtered.

Ideally, that option would prevent only the logging and let other exception-related middlewares higher up in the chain do the right thing. I.e., we are interested in a change like the following to prevent unnecessary duplicated logs:

...
catch (Exception ex)
{
    if (options.Logging.InvokeUnhandledExceptionLoggingFilter(context, ex) is not false)
    {
        await events.RaiseAsync(new UnhandledExceptionEvent(ex));
        Telemetry.Metrics.UnHandledException(ex);
        _sanitizedLogger.LogCritical(ex, "Unhandled exception: {exception}", ex.Message);
    }

    throw;
}
...

This change would than allow us to set LoggingOptions.UnhandledExceptionLoggingFilter to (context, exception) => false, so that the standard exception handler middleware can do its job.

In general, I would suggest to remove that whole exception logging block and suggest customers/users to follow the standard practices here, which I guess anybody is anyways already doing, so there should really not be a need for this, which also shows, given that there is an option for filtering.

[wcabus]

I ran a quick test locally, setting the logging filter to return false for every call first and then switching to true to spot the difference.
Then, to trigger the exception logic, the bubbling up and whether or not the middleware chain would continue to run, I triggered an exception from within the discovery endpoint.

Before I share the results of my quick test, I should also point out that the exception filter within the IdentityServerMiddleware will only catch or filter exceptions that occur while processing IdentityServer's endpoints.

Setting the UnhandledExceptionLoggingFilter to always return false

Since I have UseDeveloperExceptionPage logic running in my sample project, when I triggered the discovery endpoint, I got a response from the developer exception page which caught the now unhandled exception since the exception filter did not catch it within the IdentityServerMiddleware class.

The raw exception details look something like this:

System.InvalidOperationException: Just testing something
   at Sample.IdSrv.CustomDiscoveryResponseGenerator.CreateDiscoveryDocumentAsync(String baseUrl, String issuerUri) in ...\CustomDiscoveryResponseGenerator.cs:line 17
   at Duende.IdentityServer.Endpoints.BaseDiscoveryEndpoint.GetDiscoveryDocument(HttpContext context, String baseUrl, String issuerUri) in /_/identity-server/src/IdentityServer/Endpoints/BaseDiscoveryEndpoint.cs:line 33
   at Duende.IdentityServer.Endpoints.DiscoveryEndpoint.ProcessAsync(HttpContext context) in /_/identity-server/src/IdentityServer/Endpoints/DiscoveryEndpoint.cs:line 64
   at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/identity-server/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 100
   at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/identity-server/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 125
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/identity-server/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 57
   at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/identity-server/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 23
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Setting the UnhandledExceptionLoggingFilter to always return true

Again, the developer exception page is displayed showing the similar raw exception details. The only differences here, are:

1. The exception is now being logged as well by the IdentityServerMiddleware, which includes raising an UnhandledExceptionEvent in the event sink and publishing an OTel event.
2. An additional line appears in the stacktrace, which is where the exception is rethrown to bubble it up after "handling it".

System.InvalidOperationException: Just testing something
   at Sample.IdSrv.CustomDiscoveryResponseGenerator.CreateDiscoveryDocumentAsync(String baseUrl, String issuerUri) in ...\CustomDiscoveryResponseGenerator.cs:line 17
   at Duende.IdentityServer.Endpoints.BaseDiscoveryEndpoint.GetDiscoveryDocument(HttpContext context, String baseUrl, String issuerUri) in /_/identity-server/src/IdentityServer/Endpoints/BaseDiscoveryEndpoint.cs:line 33
   at Duende.IdentityServer.Endpoints.DiscoveryEndpoint.ProcessAsync(HttpContext context) in /_/identity-server/src/IdentityServer/Endpoints/DiscoveryEndpoint.cs:line 64
   at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/identity-server/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 100
+  at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/identity-server/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 122
   at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/identity-server/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 125
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/identity-server/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 57
   at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/identity-server/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 23
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

[aomader]

@wcabus Indeed. It appears I was reading the code incorrectly in my sleep-deprived mind. Thank you for checking and clarifying!