How to return custom message from custom AuthorizeAttribute?

Question

I am using ASP.NET Core 3.1 WebAPI with Auth0.

I wanted to implement a custom AuthorizeAttribute that would perform simple permission checks and return 403 with a message if permissions are missing.

Here is the code:

Startup.cs (ConfigureServices)

services
        .AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            }
        )
        .AddJwtBearer(options =>
            {
                var keyResolver = new MultipleIssuerSigningKeyResolver();
                options.MetadataAddress = "https://.../.well-known/openid-configuration";
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidAudience = Auth0Configuration.Audience,
                    ValidIssuers = Auth0Configuration.Issuers,
                    IssuerSigningKeyResolver = (token, securityToken, kid, parameters) =>
                        keyResolver.GetSigningKey(securityToken.Issuer, kid)
                };
            }
        );

Custom AuthorizeAttribute :

public class AuthorizeAttribute : Microsoft.AspNetCore.Authorization.AuthorizeAttribute, IAsyncAuthorizationFilter
{
    private readonly string[] _permissions;

    public AuthorizeAttribute(params string[] permissions)
    {
        _permissions = permissions;
    }

    /// <inheritdoc />
    public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
    {
        var user = (IRemoteUser) context.HttpContext.RequestServices.GetService(typeof(IRemoteUser));
        await user.Fetch(context.HttpContext);
        context.HttpContext.Items["RemoteUser"] = user;
        foreach (var permission in _permissions)
        {
            if (user.HasPermission(permission)) continue;

            // Permission not found, return forbidden.
            context.Result = new ForbidResult($"Permission '{permission}' is required.");
            return;
        }
    }
}

I call it like this:

[Authorize("support:all")]
[HttpPost]
public async Task<ActionResult> Create([FromBody] SupportMessageCreateDto dto)
{...}

It works fine if I don't provide a message to new ForbidResult() . I get 403 if permission is missing. But if I provide this message, I get:

{
  "error": "No authentication handler is registered for the scheme 'Permission 'support:all' is required.'. The registered schemes are: Bearer. Did you forget to call AddAuthentication().Add[SomeAuthHandler](\"Permission 'support:all' is required.\",...)?"
}

Why is this happening and how can I solve it? I really like this setup as it is simple, but this message is required.

Answer 1

I made a mistake with Result type. ForbidResult actually expects authentication scheme as string in constructor. I replaced

context.Result = new ForbidResult($"Permission '{permission}' is required.");

with

context.Result = new ObjectResult($"Permission '{permission}' is required.")
{
    StatusCode = (int) HttpStatusCode.Forbidden
};

and it works now.