OpenIdConnect with AAD does not return error_description

[dstrockis]

If AAD gives an error during the auth pipeline, the middlware swallows up the error_description from AAD and doesn’t return it to the developer. It makes it pretty difficult to debug issues when talking to AAD.

You can repro by forgetting to include a client secret in the OIDC config, and letting the middleware attempted to redeem the auth code without a client secret. It will result in a 400 from AAD, but it's not clear from the middleware why it occurred.

[Tratcher]

It fails here:
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L670
with a 400 response. This gets caught by https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L622, runs AuthenticationFailed, and re-throws. Assuming nobody catches this then the server will convert it to a 500 response.

The DeveloperExceptionPage would show something like

System.AggregateException: Unhandled remote failure. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<RedeemAuthorizationCodeAsync>d__21.MoveNext() in C:\git\Universe\Security\src\Microsoft.AspNetCore.Authentication.OpenIdConnect\OpenIdConnectHandler.cs:line 670
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<HandleRemoteAuthenticateAsync>d__19.MoveNext() in C:\git\Universe\Security\src\Microsoft.AspNetCore.Authentication.OpenIdConnect\OpenIdConnectHandler.cs:line 558

The response body with the description is not currently available. The OAuth handler does do some work to expose the response body in this scenario:
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OAuth/OAuthHandler.cs#L142-L161

[troydai]

Fixed in 28932a7