[Bug] AccessDenied Routing
See original GitHub issueWhich Version of Microsoft Identity Web are you using ? Microsoft.Identity.Web - v0.1.0 Preview Microsoft.Identity.Web.UI - v0.1.0 Preview
Where is the issue?
- Web App
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (Validating tokens)
- Protected web APIs (Validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In Memory caches
- Session caches
- Distributed caches
Is this a new or existing app? c. This is a new app or experiment
Repro
Clone and run the below sample project.
Log in with an unauthorized account.
Expected behavior Unauthorized account should be redirected to /MicrosoftIdentity/Account/AccessDenied.
Actual behavior Unauthorized account is redirected to /Account/AccessDenied which doesn’t exist.
Possible Solution The Microsoft.Identity.Web.UI AccountController exists in the MicrosoftIdentity area but there doesn’t seem to be a way to provide the AccessDenied response with this route info.
I’d expect this to be configurable using something like the AccessDenied property like this but it doesn’t seem to work.
services.Configure<OpenIdConnectOptions>(options =>
{
// Use the groups claim for populating roles
options.TokenValidationParameters.RoleClaimType = "groups";
options.AccessDeniedPath = "/MicrosoftIdentity/Account/AccessDenied";
});
Possibly this is a redirect URL that should be set in the portal but it’s not obvious where this is.
A workaround is to create an account controller with the required view but this goes against the point of Microsoft.Identity.Web.UI.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8 (4 by maintainers)
Top GitHub Comments
Yes, seems like specifying
AccessDeniedPath
onOpenIdConnectOptions
doesn’t work.Specifying the path on
CookieAuthenticationOptions
works:The scheme has to be the same as what is passed into
AddSignIn
method (or defaultCookieAuthenticationDefaults.AuthenticationScheme
) because that is what is passed in https://github.com/AzureAD/microsoft-identity-web/blob/4458dbf15ddf494c2f3f5a27da873260bbe71040/src/Microsoft.Identity.Web/WebAppAuthenticationBuilderExtensions.cs#L82From logging we can see that when the user is unauthorized and the code above is not used, cookie and OIDC handlers fail and redirect to
/Account/AccessDenied...
is done.When the above fix is used, after the handlers fail to authorize, the redirect is made to a correct page.
I looked through the ASP.NET Core repo and really the only references to
AccessDeniedPath
I found were related to cookies.The default path value is in CookieAuthenticationDefaults.
If the custom path is not specified, it is set to default in PostConfigureCookieAuthenticationOptions PostConfigure.
CookieAuthenticationHandler
builds the URI and redirects in HandleForbiddenAsync.In 0.1.4-preview release