Should the authentication/authorization middleware return 403 for missing api routes?

Question

I'm working with ASP.NET Core 2.0 and getting into the setup of the Startup.cs file. I am aware that from the reading that the order of the middleware has importance.

From this link: https://docs.microsoft.com/en-us/aspnet/core/migration/http-modules?view=aspnetcore-2.0

There is the following diagram:

It indicates that if the authentication middleware provided is setup correctly, and then if the authentication fails, then regardless if the route exists or not a unauthorized response (HTTP 401 - Unauthorized) is sent.

In my scenario, I'm getting a response of HTTP 404 (Not Found) for routes that do not exist. Before I post up some code, is my understanding correct of how the middleware should behave?

Thanks.

Answer 1

In addition to the comments that emphasize the distinction between Authentication and Authorization, this quote is quite useful (from https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware ):

Authentication doesn't short-circuit unauthenticated requests. Although Authentication Middleware authenticates requests, authorization (and rejection) occurs only after MVC selects a specific Razor Page or MVC controller and action.

If there is no Razor Page or MVC controller to select, this will result in an HTTP 404 (Not Found) before the authorization checks would produce an HTTP 401 (Unauthorized).

Keep in mind that authorization attributes can be specified at the action level, meaning that the authorization checks wouldn't have enough information to accept or reject a request until the page or controller/action is selected (eg a Controller can be decorated with the [Authorize] attribute while specific actions therein are decorated with the [AllowAnonymous] attribute).