Why doesn't AuthenticateAsync set context's User property?

[voroninp]

In PolicyEvaluator class principal is built from all specified schemes.

Whereas direct call to HttpContext.AuthenticateAsync has no effect. Authentication middleware sets User only for the default scheme.

Should not it be the responsibility of AuthenticationService, and should not it be the same as in policy evaluator?
I'd expect, that every call to Authenticate extends (or replaces for the same scheme?) context's user with the new principal same way PolicyEvaluator does.

[voroninp]

@davidfowl, your answer would be much appreciated ;-)

[voroninp]

But where should it be set then?

[davidfowl]

The caller of that method should set it if they need it to be set.

[voroninp]

Hm... but with auth policies/authorize attribute that's going to be some code in framework anyway, isn't it?

[davidfowl]

This method is a low level method that returns a result. It shouldn’t have a side effect of changing the current user. That feels very broken.

It can be called from anywhere in the request pipeline to get the authentication result (for example SignalR calls it to get the result of authentication).

[voroninp]

Ah, ok I got you. I agree Authenticate's signature implies it's a query rather than a command.