Can't disable authentication with HttpClientCredentialType.None

[Evgeny-A]

Describe the bug

If ClientCredentialType set to HttpClientCredentialType.None in binding options, and server returns 401 status with WWW-Authenticate header, wcf client tries to authenticate.

To Reproduce

            var binding = new BasicHttpBinding
            {
                MaxBufferSize = int.MaxValue,
                ReaderQuotas = System.Xml.XmlDictionaryReaderQuotas.Max,
                MaxReceivedMessageSize = int.MaxValue,
                AllowCookies = true,
                Security =
                {
                    Mode = BasicHttpSecurityMode.Transport,
                    Transport =
                    {
                        ClientCredentialType = HttpClientCredentialType.None
                    }
                }
            };

Expected behavior

If server returns 401 status, client must just throw this error, without trying to authenticate.

[Evgeny-A]

I investigated a little. I think the issue is because of this code:

wcf/src/System.Private.ServiceModel/src/System/ServiceModel/Channels/HttpChannelFactory.cs

Line 314 in 9bf1eea

clientHandler.UseDefaultCredentials = true;

It sets UseDefaultCredentials to true regardless of whether authentication is required. It seems it should not do it if AuthenticationScheme property is AuthenticationSchemes.Anonymous.

[HongGit]

@imcarolwang can you please see if you could get a PR out this week?

[imcarolwang]

@Evgeny-A, I have a BasicHttpBinding service with Transport security mode and require certificate HttpClientCredentialType, at client side, I set ClientCredentialType = HttpClientCredentialType.None for the binding's Security.Transport property, client will receive response message with 403 forbidden status and code then flowing to line below and throw the exception directly at here

wcf/src/System.Private.ServiceModel/src/System/ServiceModel/Channels/HttpResponseMessageHelper.cs

Line 40 in 7f504aa

ValidateAuthentication();

I don't see additional authentication done after that. Do I miss something? It would be great if you could share more behavior details of the problem you found. Thank you.

[Evgeny-A]

I think certificate authentication is not related here.

The DefaultCredentials property applies only to NTLM, negotiate, and Kerberos-based authentication.

Ensure server requires at least one of these authentication types, and does not allow anonymous access. When authentication fails, server should return not 403, but 401 status code.

Check how many HTTP requests are actually made.

What I expect: after 401 response for the very first request, error must be thrown that server requires authentication and client didn't provided any credentials.

What I see: after 401 response for the first request, client makes second (and probably third in case of NTLM) request, trying to authenticate with default credentials. Request can even succeed (which is unexpected!) if default credentials are accepted by server as valid ones.

[imcarolwang]

@Evgeny-A Thank you for the quick turnaround! I now can reproduce the behavior you described and the fix you've proposed works as expected. I am going to submit a PR for review.

[Evgeny-A]

Thank you. I'm glad to contribute.

[mconnew]

I'm going to close this issue as we've merged a fix.