Tweak the order of the response processing event handlers to be invoked later in the pipeline

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.Authentication.cs

@@ -53,7 +53,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
                 = OpenIddictClientHandlerDescriptor.CreateBuilder<ApplyAuthorizationRequestContext>()
                     .AddFilter<RequireHttpRequest>()
                     .UseSingletonHandler<ProcessQueryRequest>()
-                    .SetOrder(50_000)
+                    .SetOrder(250_000)
                     .SetType(OpenIddictClientHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.Session.cs

@@ -53,7 +53,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
                 = OpenIddictClientHandlerDescriptor.CreateBuilder<ApplyLogoutRequestContext>()
                     .AddFilter<RequireHttpRequest>()
                     .UseSingletonHandler<ProcessQueryRequest>()
-                    .SetOrder(50_000)
+                    .SetOrder(250_000)
                     .SetType(OpenIddictClientHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.cs

@@ -1063,7 +1063,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
             = OpenIddictClientHandlerDescriptor.CreateBuilder<TContext>()
                 .AddFilter<RequireHttpRequest>()
                 .UseSingletonHandler<AttachHttpResponseCode<TContext>>()
-                .SetOrder(int.MaxValue - 100_000)
+                .SetOrder(100_000)
                 .SetType(OpenIddictClientHandlerType.BuiltIn)
                 .Build();
 
@@ -1150,7 +1150,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
                 .AddFilter<RequireErrorPassthroughEnabled>()
                 .AddFilter<TFilter>()
                 .UseSingletonHandler<ProcessPassthroughErrorResponse<TContext, TFilter>>()
-                .SetOrder(AttachCacheControlHeader<TContext>.Descriptor.Order + 1_000)
+                .SetOrder(500_000)
                 .SetType(OpenIddictClientHandlerType.BuiltIn)
                 .Build();
 

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.Authentication.cs

@@ -53,7 +53,7 @@ public static partial class OpenIddictClientOwinHandlers
                 = OpenIddictClientHandlerDescriptor.CreateBuilder<ApplyAuthorizationRequestContext>()
                     .AddFilter<RequireOwinRequest>()
                     .UseSingletonHandler<ProcessQueryRequest>()
-                    .SetOrder(50_000)
+                    .SetOrder(250_000)
                     .SetType(OpenIddictClientHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.Session.cs

@@ -51,7 +51,7 @@ public static partial class OpenIddictClientOwinHandlers
                 = OpenIddictClientHandlerDescriptor.CreateBuilder<ApplyLogoutRequestContext>()
                     .AddFilter<RequireOwinRequest>()
                     .UseSingletonHandler<ProcessQueryRequest>()
-                    .SetOrder(50_000)
+                    .SetOrder(250_000)
                     .SetType(OpenIddictClientHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.cs

@@ -1124,7 +1124,7 @@ public static partial class OpenIddictClientOwinHandlers
             = OpenIddictClientHandlerDescriptor.CreateBuilder<TContext>()
                 .AddFilter<RequireOwinRequest>()
                 .UseSingletonHandler<AttachHttpResponseCode<TContext>>()
-                .SetOrder(int.MaxValue - 100_000)
+                .SetOrder(100_000)
                 .SetType(OpenIddictClientHandlerType.BuiltIn)
                 .Build();
 
@@ -1188,7 +1188,7 @@ public static partial class OpenIddictClientOwinHandlers
             // are known to aggressively intercept 401 responses even if the request is already considered fully
             // handled. In practice, this behavior is often seen with the cookies authentication middleware,
             // that will rewrite the 401 responses returned by OpenIddict and try to redirect the user agent
-            // to the login page configured in the options. To prevent this undesirable behavior, a fake
+            // to the login page configured in the options. To prevent this undesirable behavior, an explicit
             // response challenge pointing to a non-existent middleware is manually added to the OWIN context
             // to prevent the active authentication middleware from rewriting OpenIddict's 401 HTTP responses.
             //
@@ -1196,10 +1196,11 @@ public static partial class OpenIddictClientOwinHandlers
             // middleware, they are treated the same way as 401 responses to account for custom middleware
             // that may potentially use the same interception logic for both 401 and 403 HTTP responses.
             if (response.StatusCode is 401 or 403 &&
-                response.Context.Authentication.AuthenticationResponseChallenge is null)
+                response.Context.Authentication.AuthenticationResponseChallenge is not { AuthenticationTypes.Length: > 0 })
             {
-                response.Context.Authentication.AuthenticationResponseChallenge =
-                    new AuthenticationResponseChallenge([Guid.NewGuid().ToString()], null);
+                response.Context.Authentication.AuthenticationResponseChallenge = new AuthenticationResponseChallenge(
+                    authenticationTypes: [null],
+                    properties         : response.Context.Authentication.AuthenticationResponseChallenge?.Properties ?? new());
             }
 
             return default;
@@ -1330,7 +1331,7 @@ public static partial class OpenIddictClientOwinHandlers
                 .AddFilter<RequireErrorPassthroughEnabled>()
                 .AddFilter<TFilter>()
                 .UseSingletonHandler<ProcessPassthroughErrorResponse<TContext, TFilter>>()
-                .SetOrder(AttachCacheControlHeader<TContext>.Descriptor.Order + 1_000)
+                .SetOrder(500_000)
                 .SetType(OpenIddictClientHandlerType.BuiltIn)
                 .Build();
 

src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs

@@ -326,7 +326,7 @@ public static partial class OpenIddictServerAspNetCoreHandlers
                 = OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyAuthorizationResponseContext>()
                     .AddFilter<RequireHttpRequest>()
                     .UseSingletonHandler<ProcessFormPostResponse>()
-                    .SetOrder(50_000)
+                    .SetOrder(250_000)
                     .SetType(OpenIddictServerHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs

@@ -318,7 +318,7 @@ public static partial class OpenIddictServerAspNetCoreHandlers
                 = OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>()
                     .AddFilter<RequireHttpRequest>()
                     .UseSingletonHandler<ProcessQueryResponse>()
-                    .SetOrder(ProcessLocalErrorResponse<ApplyLogoutResponseContext>.Descriptor.Order + 250)
+                    .SetOrder(250_000)
                     .SetType(OpenIddictServerHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.cs

@@ -1176,7 +1176,7 @@ public static partial class OpenIddictServerAspNetCoreHandlers
             = OpenIddictServerHandlerDescriptor.CreateBuilder<TContext>()
                 .AddFilter<RequireHttpRequest>()
                 .UseSingletonHandler<ProcessJsonResponse<TContext>>()
-                .SetOrder(ProcessChallengeErrorResponse<TContext>.Descriptor.Order + 1_000)
+                .SetOrder(500_000)
                 .SetType(OpenIddictServerHandlerType.BuiltIn)
                 .Build();
 

src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs

@@ -325,7 +325,7 @@ public static partial class OpenIddictServerOwinHandlers
                 = OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyAuthorizationResponseContext>()
                     .AddFilter<RequireOwinRequest>()
                     .UseSingletonHandler<ProcessFormPostResponse>()
-                    .SetOrder(50_000)
+                    .SetOrder(250_000)
                     .SetType(OpenIddictServerHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs

@@ -318,7 +318,7 @@ public static partial class OpenIddictServerOwinHandlers
                 = OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>()
                     .AddFilter<RequireOwinRequest>()
                     .UseSingletonHandler<ProcessQueryResponse>()
-                    .SetOrder(ProcessLocalErrorResponse<ApplyLogoutResponseContext>.Descriptor.Order + 250)
+                    .SetOrder(250_000)
                     .SetType(OpenIddictServerHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.cs

@@ -1038,7 +1038,7 @@ public static partial class OpenIddictServerOwinHandlers
             // are known to aggressively intercept 401 responses even if the request is already considered fully
             // handled. In practice, this behavior is often seen with the cookies authentication middleware,
             // that will rewrite the 401 responses returned by OpenIddict and try to redirect the user agent
-            // to the login page configured in the options. To prevent this undesirable behavior, a fake
+            // to the login page configured in the options. To prevent this undesirable behavior, an explicit
             // response challenge pointing to a non-existent middleware is manually added to the OWIN context
             // to prevent the active authentication middleware from rewriting OpenIddict's 401 HTTP responses.
             //
@@ -1046,10 +1046,11 @@ public static partial class OpenIddictServerOwinHandlers
             // middleware, they are treated the same way as 401 responses to account for custom middleware
             // that may potentially use the same interception logic for both 401 and 403 HTTP responses.
             if (response.StatusCode is 401 or 403 &&
-                response.Context.Authentication.AuthenticationResponseChallenge is null)
+                response.Context.Authentication.AuthenticationResponseChallenge is not { AuthenticationTypes.Length: > 0 })
             {
-                response.Context.Authentication.AuthenticationResponseChallenge =
-                    new AuthenticationResponseChallenge([Guid.NewGuid().ToString()], null);
+                response.Context.Authentication.AuthenticationResponseChallenge = new AuthenticationResponseChallenge(
+                    authenticationTypes: [null],
+                    properties         : response.Context.Authentication.AuthenticationResponseChallenge?.Properties ?? new());
             }
 
             return default;
@@ -1297,7 +1298,7 @@ public static partial class OpenIddictServerOwinHandlers
             = OpenIddictServerHandlerDescriptor.CreateBuilder<TContext>()
                 .AddFilter<RequireOwinRequest>()
                 .UseSingletonHandler<ProcessChallengeErrorResponse<TContext>>()
-                .SetOrder(AttachWwwAuthenticateHeader<TContext>.Descriptor.Order + 1_000)
+                .SetOrder(500_000)
                 .SetType(OpenIddictServerHandlerType.BuiltIn)
                 .Build();
 

src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandlers.cs

@@ -630,7 +630,7 @@ public static partial class OpenIddictValidationAspNetCoreHandlers
             = OpenIddictValidationHandlerDescriptor.CreateBuilder<TContext>()
                 .AddFilter<RequireHttpRequest>()
                 .UseSingletonHandler<ProcessChallengeErrorResponse<TContext>>()
-                .SetOrder(AttachWwwAuthenticateHeader<TContext>.Descriptor.Order + 1_000)
+                .SetOrder(500_000)
                 .SetType(OpenIddictValidationHandlerType.BuiltIn)
                 .Build();
 

src/OpenIddict.Validation.Owin/OpenIddictValidationOwinBuilder.cs

@@ -53,9 +53,8 @@ public sealed class OpenIddictValidationOwinBuilder
     /// requiring an explicit call to <see cref="AuthenticationManager.Challenge(string[])"/>.
     /// </summary>
     /// <remarks>
-    /// Using active authentication is strongly discouraged in applications using a cookie
-    /// authentication middleware configured to use active authentication, as both middleware
-    /// will be invoked when handling 401 responses, which will result in invalid responses.
+    /// To avoid collisions, using active authentication is strongly discouraged in applications
+    /// registering multiple authentication middleware configured to use active authentication.
     /// </remarks>
     /// <returns>The <see cref="OpenIddictValidationOwinBuilder"/> instance.</returns>
     public OpenIddictValidationOwinBuilder UseActiveAuthentication()

src/OpenIddict.Validation.Owin/OpenIddictValidationOwinHandlers.cs

@@ -530,7 +530,7 @@ public static partial class OpenIddictValidationOwinHandlers
             // are known to aggressively intercept 401 responses even if the request is already considered fully
             // handled. In practice, this behavior is often seen with the cookies authentication middleware,
             // that will rewrite the 401 responses returned by OpenIddict and try to redirect the user agent
-            // to the login page configured in the options. To prevent this undesirable behavior, a fake
+            // to the login page configured in the options. To prevent this undesirable behavior, an explicit
             // response challenge pointing to a non-existent middleware is manually added to the OWIN context
             // to prevent the active authentication middleware from rewriting OpenIddict's 401 HTTP responses.
             //
@@ -538,10 +538,11 @@ public static partial class OpenIddictValidationOwinHandlers
             // middleware, they are treated the same way as 401 responses to account for custom middleware
             // that may potentially use the same interception logic for both 401 and 403 HTTP responses.
             if (response.StatusCode is 401 or 403 &&
-                response.Context.Authentication.AuthenticationResponseChallenge is null)
+                response.Context.Authentication.AuthenticationResponseChallenge is not { AuthenticationTypes.Length: > 0 })
             {
-                response.Context.Authentication.AuthenticationResponseChallenge =
-                    new AuthenticationResponseChallenge([Guid.NewGuid().ToString()], null);
+                response.Context.Authentication.AuthenticationResponseChallenge = new AuthenticationResponseChallenge(
+                    authenticationTypes: [null],
+                    properties         : response.Context.Authentication.AuthenticationResponseChallenge?.Properties ?? new());
             }
 
             return default;
@@ -771,7 +772,7 @@ public static partial class OpenIddictValidationOwinHandlers
             = OpenIddictValidationHandlerDescriptor.CreateBuilder<TContext>()
                 .AddFilter<RequireOwinRequest>()
                 .UseSingletonHandler<ProcessChallengeErrorResponse<TContext>>()
-                .SetOrder(AttachWwwAuthenticateHeader<TContext>.Descriptor.Order + 1_000)
+                .SetOrder(500_000)
                 .SetType(OpenIddictValidationHandlerType.BuiltIn)
                 .Build();