Skip to content
This repository has been archived by the owner on Dec 13, 2018. It is now read-only.

Flow for authenticated but unauthorized users with OIDC is broken (infinite redirect) #667

Closed
DamianEdwards opened this issue Jan 21, 2016 · 8 comments
Closed

Flow for authenticated but unauthorized users with OIDC is broken (infinite redirect) #667

DamianEdwards opened this issue Jan 21, 2016 · 8 comments
Assignees
@Tratcher
Labels
3 - Done bug
Milestone
1.0.0

Comments

@DamianEdwards
Copy link
Member

The live.asp.net web site is configured to authenticate with OIDC (Azure AD) only (as emitted by the template during File -> New). The AdminController is configured to require authorization with a policy "Admin", which basically just asserts that the user is signed in with one of three usernames.

The issue is that anybody in the Azure AD org (microsoft.com) can sign-in to the site (authenticate), but when they try to access the protected resource (/admin) the policy fails and they're redirected back to Azure to sign-in. As they're already signed in, Azure redirects back to the originally requested resource, which fails the policy, and the loop continues forever.

The desired flow would appear to be that in the case a user is authenticated but not authorized for a resource when using OIDC, a "Forbidden" page is shown (as configured by the app, e.g. /account/forbidden) with a suitable message and a button that enables the user to sign-in as another user. The button would basically sign them out, then redirect them back to the originally requested resource, which would start the proper authentication flow again.

@Tratcher @blowdart @vibronet
@blowdart
Copy link
Member

Ah, forbidden only kicks in when using cookies. @HaoK

@Tratcher
Copy link
Member

I think OIDC Challenge needs to check Authenticated(SignInScheme), and if true, call Forbid(SignInScheme).

@Tratcher Tratcher added the bug label Jan 21, 2016
@Tratcher
Copy link
Member

Note all the redirecting auth providers could have this issue if used stand-alone. They could all use the same fix.

@Eilon Eilon added this to the Backlog milestone Jan 21, 2016
@Eilon
Copy link
Member

Eilon commented Jan 21, 2016

Backlog for now.

@LeandroPT
Copy link

Is this still for backlog?

Any workarounds?

@Tratcher Tratcher modified the milestones: 1.0.0, Backlog Apr 18, 2016
@Tratcher Tratcher mentioned this issue Apr 29, 2016
Closed
@Tratcher Tratcher self-assigned this Apr 29, 2016
@Tratcher Tratcher mentioned this issue Apr 29, 2016
Closed
Tratcher added a commit that referenced this issue May 17, 2016
@Tratcher
#667 #801 Handle authorize and forbid for redirecting handlers.
1944b3d
@Tratcher Tratcher mentioned this issue May 17, 2016
Merged
Tratcher added a commit that referenced this issue May 23, 2016
@Tratcher
#667 #801 Handle authorize and forbid for redirecting handlers.
59fc691
@Mendallas
Copy link

Mendallas commented Jun 5, 2016
edited
Loading

Sorry, I'm confused,
What do we need to do to resolve this issue ?
Could you give me an example ?

Regards

@Tratcher
Copy link
Member

Tratcher commented Jun 5, 2016

@Mendallas we made internal changes for 1.0 that should address this (#823). You shouldn't have to make any changes yourself. You can try the pre-release packages on myget.org or wait for 1.0 to release.

@brockallen
Copy link

For now if you disable AutomaticChallenge on the OIDC MW, then it will fall thru to the cookie middleware and get the desired AccessDeniedPath rendering.

@HaoK HaoK mentioned this issue Aug 22, 2016
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
3 - Done bug
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
7 participants
@Eilon @DamianEdwards @brockallen @blowdart @Tratcher @Mendallas @LeandroPT