c# - How to stop credential caching on Windows.Web.Http.HttpClient?

Question

I am having an issue where an app tries to access resources from the same server using different authentication methods, the two methods are:

• Credentials (NTLM, Basic, etc)
• OAuth (Bearer)

Setup HttpBaseProtocolFilter

The HttpBaseProtocolFilter is setup to:

• disable Caching
• disable automatic UI credential request popup

Code

HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
filter.CacheControl.WriteBehavior = HttpCacheWriteBehavior.NoCache;
filter.CacheControl.ReadBehavior = HttpCacheReadBehavior.MostRecent;
filter.AllowUI = false;

Adding Server Credential

If the resource needs credentials then I use:

filter.ServerCredential = new PasswordCredential(
                RequestUri.ToString(),
                UserName,
                Password);

HttpClient httpClient = new HttpClient(filter);

Adding OAuth Token

If the resource needs a Bearer token I use:

HttpClient httpClient = new HttpClient(filter);
httpClient.DefaultRequestHeaders.Authorization = new HttpCredentialsHeaderValue("Bearer", token);

The ServerCredential are null

filter.ServerCredential = null

Getting response from server

using(httpClient)
{
   using(HttpRequestMessage requestMessage = new HttpRequestMessage(new HttpMethod(method), RequestUri))
   {
       using(HttpResponseMessage response = await httpClient.SendRequestAsync(requestMessage))
       {
           // Do something with response
       }
   }
}

The issue

If the HttpClient request returns a 200 (OK) using ServerCredential, then every following Bearer request also returns 200 (OK) even if the Bearer token is invalid and filter.ServerCredential is null.

It looks as if the filter.ServerCredential is cached and all subsequent calls are authenticated with the cached credentials.

I have to restart the app if I want to do a Bearer authentication.

How can I remove, disable or clear the ServerCredential of the Windows.Web.Http.HttpClient?

---

Things I've tried:

Deleting all cookies

var cookieManager = filter.CookieManager;
HttpCookieCollection myCookieJar = cookieManager.GetCookies(RequestUri);
foreach (HttpCookie cookie in myCookieJar)
{
    cookieManager.DeleteCookie(cookie);
}

The myCookieJar is empty.

Something with PasswordCredentialPropertyStore

Windows.Security.Credentials.PasswordCredentialPropertyStore credentialPropertyStore = new Windows.Security.Credentials.PasswordCredentialPropertyStore();

The credentialPropertyStore is empty.

AND

PasswordCredentialPropertyStore's method Clear is reserved for internal use and is not intended to be used in your code.

Any ideas?

Answer 1

Thanks for reporting this issue. This is a known behavior in the low level WinINet HTTP stack that sits underneath the Windows.Web.Http.HttpClient API in the operating system. Once an HTTP request succeeds, the credentials are cached in the process memory for that app. Hence, even if you create a new HttpClient instance and set different credentials into the HttpBaseProtocolFilter, the same (original) credentials apply and will be used as long as they continue to be valid on the server side. (If the cached credentials stop being valid on the server side, they will be overwritten with the newly supplied ones.)

We are aware of this issue and are working on correcting it by allowing the clearing of cached credentials. Unfortunately, the only workaround currently is having the user restart the app which will clear the process memory for the app. That will allow a different credential to be used at first. However, that credential will also 'stick' for the remainder of the application process as long as it is valid on the server.

Thanks,

Sidharth Nabar [Windows Networking team]