Returning 403 does not redirect to AccessDeniedPath #499
Comments
|
@HaoK can you log a bug in MVC to create a forbidden result that sends a forbid response + 403? |
|
Is this still an issue for RC1 @HaoK ? Given the following middleware configuration: app.UseCookieAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
});
app.UseOpenIdConnectAuthentication(options =>
{
options.Authority = Configuration.Get<string>("AzureAd:Authority");
options.ClientId = Configuration.Get<string>("AzureAd:ClientId");
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});
//MVCWhen the MVC returns a 403 this is "caught" and made into a 302 redirect to the login page (causing endless redirects). My assumption was it would use the default |
|
@Tratcher any idea on this? |
|
That's odd, we don't intercept 403s, only 401s. |
|
I've made the most simple gist I could to demonstrate this. Given an end user that does not have the claim there, I'm seeing endless redirects. |
|
Oh, MVC isn't setting a 403 anywhere in your gist. It's failing to authorize which triggers another login flow. I think you're hitting this issue: #667 |
|
Ah okay, perhaps I made some assumptions about this, so sorry about that. How exactly does the Authorize attribute work if it doesn't return a 403? |
|
It invokes HttpContext.Authentication.Challenge. For authenticated but not authorized Cookies or Bearer this can produce a 403, but for most of the other auth middleware this causes an infinite loop. |
|
Thanks, I'll keep tabs on the related issue. Hoping this will go into RC2! |
|
No, it's scheduled for post RC2. We're out of time for RC2 features. |
Returning
new HttpStatusCodeResult(StatusCodes.Status403Forbidden)from an action does not redirect to a "forbidden" url. I am using cookie authentication in beta7.The text was updated successfully, but these errors were encountered: