From 11319ecd32b6a5fcfb03dabb48fd6fb417170935 Mon Sep 17 00:00:00 2001
From: Erwin van der Valk <erwin@vandervalk.pro>
Date: Tue, 17 Feb 2026 17:08:14 +0100
Subject: [PATCH] Merge pull request #2363 from
 DuendeSoftware/ev/bff/fix-no-forbid-scheme

Fix stack overflow exception when explicitly configuring authentication schemes without configuring a forbid scheme.
---
 .../BffConfigureAuthenticationOptions.cs      | 15 +++--
 .../Bff.Tests/Endpoints/LocalEndpointTests.cs | 56 +++++++++++++++++++
 2 files changed, 65 insertions(+), 6 deletions(-)

diff --git a/bff/src/Bff/DynamicFrontends/BffConfigureAuthenticationOptions.cs b/bff/src/Bff/DynamicFrontends/BffConfigureAuthenticationOptions.cs
index 72b02faab..ea2629f50 100644
--- a/bff/src/Bff/DynamicFrontends/BffConfigureAuthenticationOptions.cs
+++ b/bff/src/Bff/DynamicFrontends/BffConfigureAuthenticationOptions.cs
@@ -18,13 +18,16 @@ internal class BffConfigureAuthenticationOptions : IPostConfigureOptions<Authent
             options.DefaultScheme = BffAuthenticationSchemes.BffCookie;
             options.DefaultChallengeScheme = BffAuthenticationSchemes.BffOpenIdConnect;
             options.DefaultSignOutScheme = BffAuthenticationSchemes.BffOpenIdConnect;
+        }
 
-            // If we don't set this forbid scheme, when calling forbid, it can trigger a stackoverflow exception
-            // when calling HttpContext.Forbid(). 
-            if (options.DefaultForbidScheme == null)
-            {
-                options.DefaultForbidScheme = BffAuthenticationSchemes.BffCookie;
-            }
+        // If we don't set this forbid scheme, when calling forbid, it can trigger a stackoverflow exception
+        // when calling HttpContext.Forbid(). This happens because BffAuthenticationService decorates
+        // IAuthenticationService, and if the default forbid scheme is not set, the cookie handler's base
+        // class calls Context.ForbidAsync() which resolves BffAuthenticationService again, creating an
+        // infinite loop. We set the forbid scheme to the default scheme to break this cycle.
+        if (options.DefaultForbidScheme == null)
+        {
+            options.DefaultForbidScheme = options.DefaultScheme ?? options.DefaultAuthenticateScheme;
         }
     }
 }
diff --git a/bff/test/Bff.Tests/Endpoints/LocalEndpointTests.cs b/bff/test/Bff.Tests/Endpoints/LocalEndpointTests.cs
index 9dac9ff85..1e40ddc0d 100644
--- a/bff/test/Bff.Tests/Endpoints/LocalEndpointTests.cs
+++ b/bff/test/Bff.Tests/Endpoints/LocalEndpointTests.cs
@@ -2,6 +2,7 @@
 // See LICENSE in the project root for license information.
 
 using System.Net;
+using Duende.Bff.DynamicFrontends;
 using Duende.Bff.Tests.TestFramework;
 using Duende.Bff.Tests.TestInfra;
 using Microsoft.AspNetCore.Authentication;
@@ -311,4 +312,59 @@ public class LocalEndpointTests(ITestOutputHelper output) : BffTestBase(output)
         var response = await Bff.BrowserClient.GetAsync(Bff.Url("/not-found"));
         response.StatusCode.ShouldBe(HttpStatusCode.NotFound);
     }
+
+    [Fact]
+
+    public async Task authorization_policy_failure_should_return_403()
+    {
+        var identityServer = new IdentityServerTestHost(Context);
+        var bff = new BffTestHost(Context, identityServer);
+        identityServer.AddClient(The.ClientId, bff.Url());
+
+        bff.OnConfigureBffOptions += opt =>
+        {
+            opt.BackchannelHttpHandler = Internet;
+            opt.ConfigureOpenIdConnectDefaults = The.DefaultOpenIdConnectConfiguration;
+        };
+
+        // this is regards to an issue reported by one of our users:
+        // https://github.com/orgs/DuendeSoftware/discussions/488
+        // We have to explicitly configure the authentication schemes, but
+        // not set the DefaultForbidScheme, otherwise when an authorization policy
+        // fails, the BFF doesn't know which scheme to use for the forbid response,
+        // and that causes a StackOverflowException.
+        bff.OnConfigureServices += s => s.AddAuthentication(options =>
+        {
+            options.DefaultScheme = BffAuthenticationSchemes.BffCookie;
+            options.DefaultChallengeScheme = BffAuthenticationSchemes.BffOpenIdConnect;
+            options.DefaultSignOutScheme = BffAuthenticationSchemes.BffOpenIdConnect;
+        });
+
+        // This test verifies that when an authorization policy fails (not just RequireAuthenticatedUser,
+        // but a custom policy like RequireClaim), the BFF correctly returns 403 without causing
+        // a StackOverflowException. This was a bug when DefaultForbidScheme was not set.
+        AddCustomUserClaims(new System.Security.Claims.Claim("given_name", "Alice"));
+
+        bff.OnConfigureApp += app =>
+        {
+            app.Map(The.Path, c => ApiHost.ReturnApiCallDetails(c, () => LocalApiResponseStatus))
+                .RequireAuthorization(policy =>
+                {
+                    policy.RequireAuthenticatedUser();
+                    policy.RequireClaim("given_name", "Bob"); // Alice won't have this claim
+                })
+                .AsBffApiEndpoint();
+        };
+
+        await identityServer.InitializeAsync();
+        await bff.InitializeAsync();
+
+        await bff.BrowserClient.Login();
+        bff.BrowserClient.RedirectHandler.AutoFollowRedirects = false;
+
+        await bff.BrowserClient.CallBffHostApi(
+            url: Bff.Url(The.Path),
+            expectedStatusCode: HttpStatusCode.Forbidden
+        );
+    }
 }