ASP.NET Core giving me Code 500 on Forbid()

问题

I tried to solve this for hours now and I can not find anything. Basicly I have a simple controller which roughly looks like this:

[Route("v1/lists")]
public class ListController : Controller
{
    ...

    [HttpPost("{id}/invite")]
    public async Task<IActionResult> PostInvite([FromBody] string inviteSecret, [FromRoute] int id, [FromQuery] string userSecret)
    {
        if (!ModelState.IsValid)
        {
            return BadRequest(ModelState);
        }

        List list = await context.Lists.SingleOrDefaultAsync(l => l.ID == id);
        if (list == null)
        {
            return NotFound();
        }

        User postingUser = await context.Users.SingleOrDefaultAsync(u => u.ID == list.CreationUserID);
        if (postingUser == null || postingUser.Secret != userSecret)
        {
            return Forbid();
        }

        await context.ListInvites.AddAsync(new ListInvite{ListID = id, InviteSecret = inviteSecret});
        await context.SaveChangesAsync();
        return Ok();
    }

    ....
}

The thing is: Whenever this method gets called and it exits through return Forbid();, Kestrel throws an InvalidOperationException afterwards with the message

No authentication handler is configured to handle the scheme: Automatic

(and of course the server returns a 500). What's strange about it is the fact that I am not doing any authentication whatsoever anywhere, and it does not happen e.g. if the method leaves with return Ok();. I'm really lost at this point because if you try to google this problem you get solutions over solutions... for people who actually do auth and have a problem with it. I really hope someone over here knows how to resolve this and/or what I could do to find out why this happens.

回答1:

Like SignIn, SignOut or Challenge, Forbid relies on the authentication stack to decide what's the right thing to do to return a "forbidden" response: some authentication handlers like the JWT bearer middleware return a 403 response while others - like the cookie middleware - prefer redirecting the user to an "access denied page".

If you don't have any authentication handler in your pipeline, you can't use this method. Instead, use return StatusCode(403).

来源：https://stackoverflow.com/questions/44597099/asp-net-core-giving-me-code-500-on-forbid