diff --git a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
index 510a445..17498ba 100644
--- a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
+++ b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
@@ -80,8 +80,9 @@ public function appliesToRoutedRequest(Request $request, $authenticated) {
    * {@inheritdoc}
    */
   public function challengeException(Request $request, \Exception $previous) {
-    $provider = $this->getChallenger($request);
-    if ($provider) {
+    $provider_id = $this->getChallenger($request);
+
+    if ($provider_id && ($provider = $this->authCollector->getProvider($provider_id))) {
       return $provider->challengeException($request, $previous);
     }
   }
@@ -105,19 +106,19 @@ protected function getProvider(Request $request) {
   }
 
   /**
-   * Returns the challenge provider for a request.
+   * Returns the ID of the challenge provider for a request.
    *
    * @param \Symfony\Component\HttpFoundation\Request $request
    *   The incoming request.
    *
-   * @return \Drupal\Core\Authentication\AuthenticationProviderInterface|NULL
-   *   The first authentication provider which applies to the request.
+   * @return string|NULL
+   *   The ID of the first authentication provider which applies to the request.
    *   If no application detects appropriate credentials, then NULL is returned.
    */
   protected function getChallenger(Request $request) {
     foreach ($this->authCollector->getSortedProviders() as $provider_id => $provider) {
       if (($provider instanceof AuthenticationProviderChallengeInterface) && !$provider->applies($request) && $this->applyFilter($request, FALSE, $provider_id)) {
-        return $provider;
+        return $provider_id;
       }
     }
   }