diff --git a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
index 30ee524..ab16ff6 100644
--- a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
+++ b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
@@ -80,9 +80,9 @@ public function appliesToRoutedRequest(Request $request, $authenticated) {
    * {@inheritdoc}
    */
   public function challengeException(Request $request, \Exception $previous) {
-    $provider_id = $this->getChallenger($request);
-    if ($provider_id) {
-      return $this->challengers[$provider_id]->challengeException($request, $previous);
+    $provider = $this->getChallenger($request);
+    if ($provider) {
+      return $provider->challengeException($request, $previous);
     }
   }
 
@@ -110,14 +110,14 @@ protected function getProvider(Request $request) {
    * @param \Symfony\Component\HttpFoundation\Request $request
    *   The incoming request.
    *
-   * @return string|NULL
-   *   The id of the first authentication provider which applies to the request.
+   * @return \Drupal\Core\Authentication\AuthenticationProviderInterface
+   *   The first authentication provider which applies to the request.
    *   If no application detects appropriate credentials, then NULL is returned.
    */
   protected function getChallenger(Request $request) {
     foreach ($this->authCollector->getSortedProviders() as $provider_id => $provider) {
       if (($provider instanceof AuthenticationProviderChallengeInterface) && !$provider->applies($request) && $this->applyFilter($request, FALSE, $provider_id)) {
-        return $provider_id;
+        return $provider;
       }
     }
   }