Reuse failed auth results in AuthN (#43269)

Author: Kahbazi

src/Security/Authentication/Certificate/src/AuthenticateResults.cs

@@ -0,0 +1,11 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Authentication.Certificate;
+
+internal static class AuthenticateResults
+{
+    internal static AuthenticateResult NoSelfSigned = AuthenticateResult.Fail("Options do not allow self signed certificates.");
+    internal static AuthenticateResult NoChainedCertificates = AuthenticateResult.Fail("Options do not allow chained certificates.");
+    internal static AuthenticateResult InvalidClientCertificate = AuthenticateResult.Fail("Client certificate failed validation.");
+}

src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs

@@ -126,7 +126,7 @@ private async Task<AuthenticateResult> ValidateCertificateAsync(X509Certificate2
             !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.SelfSigned))
         {
             Logger.CertificateRejected("Self signed", clientCertificate.Subject);
-            return AuthenticateResult.Fail("Options do not allow self signed certificates.");
+            return AuthenticateResults.NoSelfSigned;
         }
 
         // If we have a chained cert, and they're not allowed, exit early and not bother with
@@ -135,7 +135,7 @@ private async Task<AuthenticateResult> ValidateCertificateAsync(X509Certificate2
             !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.Chained))
         {
             Logger.CertificateRejected("Chained", clientCertificate.Subject);
-            return AuthenticateResult.Fail("Options do not allow chained certificates.");
+            return AuthenticateResults.NoChainedCertificates;
         }
 
         var chainPolicy = BuildChainPolicy(clientCertificate, isCertificateSelfSigned);
@@ -153,7 +153,7 @@ private async Task<AuthenticateResult> ValidateCertificateAsync(X509Certificate2
                 chainErrors.Add($"{validationFailure.Status} {validationFailure.StatusInformation}");
             }
             Logger.CertificateFailedValidation(clientCertificate.Subject, chainErrors);
-            return AuthenticateResult.Fail("Client certificate failed validation.");
+            return AuthenticateResults.InvalidClientCertificate;
         }
 
         var certificateValidatedContext = new CertificateValidatedContext(Context, Scheme, Options)

src/Security/Authentication/Cookies/src/AuthenticateResults.cs

@@ -0,0 +1,13 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Authentication.Cookies;
+
+internal static class AuthenticateResults
+{
+    internal static AuthenticateResult FailedUnprotectingTicket = AuthenticateResult.Fail("Unprotect ticket failed");
+    internal static AuthenticateResult MissingSessionId = AuthenticateResult.Fail("SessionId missing");
+    internal static AuthenticateResult MissingIdentityInSession = AuthenticateResult.Fail("Identity missing in session store");
+    internal static AuthenticateResult ExpiredTicket = AuthenticateResult.Fail("Ticket expired");
+    internal static AuthenticateResult NoPrincipal = AuthenticateResult.Fail("No principal.");
+}

src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs

@@ -147,21 +147,21 @@ private async Task<AuthenticateResult> ReadCookieTicket()
         var ticket = Options.TicketDataFormat.Unprotect(cookie, GetTlsTokenBinding());
         if (ticket == null)
         {
-            return AuthenticateResult.Fail("Unprotect ticket failed");
+            return AuthenticateResults.FailedUnprotectingTicket;
         }
 
         if (Options.SessionStore != null)
         {
             var claim = ticket.Principal.Claims.FirstOrDefault(c => c.Type.Equals(SessionIdClaim));
             if (claim == null)
             {
-                return AuthenticateResult.Fail("SessionId missing");
+                return AuthenticateResults.MissingSessionId;
             }
             // Only store _sessionKey if it matches an existing session. Otherwise we'll create a new one.
             ticket = await Options.SessionStore.RetrieveAsync(claim.Value, Context, Context.RequestAborted);
             if (ticket == null)
             {
-                return AuthenticateResult.Fail("Identity missing in session store");
+                return AuthenticateResults.MissingIdentityInSession;
             }
             _sessionKey = claim.Value;
         }
@@ -178,7 +178,7 @@ private async Task<AuthenticateResult> ReadCookieTicket()
                 // Clear out the session key if its expired, so renew doesn't try to use it
                 _sessionKey = null;
             }
-            return AuthenticateResult.Fail("Ticket expired");
+            return AuthenticateResults.ExpiredTicket;
         }
 
         // Finally we have a valid ticket
@@ -204,7 +204,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 
         if (context.Principal == null)
         {
-            return AuthenticateResult.Fail("No principal.");
+            return AuthenticateResults.NoPrincipal;
         }
 
         if (context.ShouldRenew)

src/Security/Authentication/Core/src/HandleRequestResult.cs

@@ -8,6 +8,10 @@ namespace Microsoft.AspNetCore.Authentication;
 /// </summary>
 public class HandleRequestResult : AuthenticateResult
 {
+    private static readonly HandleRequestResult _noResult = new() { None = true };
+    private static readonly HandleRequestResult _skippedResult = new() { Skipped = true };
+    private static readonly HandleRequestResult _handledResult = new() { Handled = true };
+
     /// <summary>
     /// Indicates that stage of authentication was directly handled by
     /// user intervention and no further processing should be attempted.
@@ -77,26 +81,17 @@ public class HandleRequestResult : AuthenticateResult
     /// The caller is responsible for generating the full response.
     /// </summary>
     /// <returns>The result.</returns>
-    public static HandleRequestResult Handle()
-    {
-        return new HandleRequestResult() { Handled = true };
-    }
+    public static HandleRequestResult Handle() => _handledResult;
 
     /// <summary>
     /// Discontinue processing the request in the current handler.
     /// </summary>
     /// <returns>The result.</returns>
-    public static HandleRequestResult SkipHandler()
-    {
-        return new HandleRequestResult() { Skipped = true };
-    }
+    public static HandleRequestResult SkipHandler() => _skippedResult;
 
     /// <summary>
     /// Indicates that there were no results produced during authentication.
     /// </summary>
     /// <returns>The result.</returns>
-    public static new HandleRequestResult NoResult()
-    {
-        return new HandleRequestResult() { None = true };
-    }
+    public static new HandleRequestResult NoResult() => _noResult;
 }

src/Security/Authentication/JwtBearer/src/AuthenticateResults.cs

@@ -0,0 +1,9 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Authentication.JwtBearer;
+
+internal static class AuthenticateResults
+{
+    internal static AuthenticateResult ValidatorNotFound = AuthenticateResult.Fail("No SecurityTokenValidator available for token.");
+}

src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs

@@ -178,7 +178,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 return AuthenticateResult.Fail(authenticationFailedContext.Exception);
             }
 
-            return AuthenticateResult.Fail("No SecurityTokenValidator available for token.");
+            return AuthenticateResults.ValidatorNotFound;
         }
         catch (Exception ex)
         {

src/Security/Authentication/OAuth/src/HandleRequestResults.cs

@@ -0,0 +1,9 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Authentication.OAuth;
+
+internal static class HandleRequestResults
+{
+    internal static HandleRequestResult InvalidState = HandleRequestResult.Fail("The oauth state was missing or invalid.");
+}

src/Security/Authentication/OAuth/src/OAuthHandler.cs

@@ -61,7 +61,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
 
         if (properties == null)
         {
-            return HandleRequestResult.Fail("The oauth state was missing or invalid.");
+            return HandleRequestResults.InvalidState;
         }
 
         // OAuth2 10.12 CSRF

src/Security/Authentication/OpenIdConnect/src/HandleRequestResults.cs

@@ -0,0 +1,10 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Authentication.OpenIdConnect;
+
+internal static class HandleRequestResults
+{
+    internal static HandleRequestResult UnexpectedParams = HandleRequestResult.Fail("An OpenID Connect response cannot contain an identity token or an access token when using response_mode=query");
+    internal static HandleRequestResult NoMessage = HandleRequestResult.Fail("No message.");
+}