[Breaking change]: AuthenticateAsync for remote authentication providers no longer fails if anonymous

[Tratcher]

Description

RE: dotnet/aspnetcore#43042, dotnet/aspnetcore#43212

Remote authentication providers like OpenIdConnect, WsFederation, and OAuth have been updated to avoid unnecessary errors when there is no user information available on the request.

Version

.NET 7 RC1

Previous behavior

When AuthenticateAsync was called on a remote authentication provider and there was no current user, this call would fail with a message like OpenIdConnect was not authenticated. Failure message: Not authenticated.

New behavior

AuthenticateAsync will now return AuthenticateResult.NoResult(), an anonymous identity.

Type of breaking change

• Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
• Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
• Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

• This was inconsistent with Cookie and Negotiate authentication which will return AuthenticateResult.NoResult().
• It causes excess failure logs, especially if the remote authentication handler is set as the default handler and invoked per request.

Recommended action

Code that directly invokes AuthenticateAsync should be checked to ensure it properly handles AuthenticateResult.NoResult() and anonymous/empty ClaimsIdentity's.

Affected APIs

HttpContext.AuthenticateAsync