Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] AccessDenied Routing
See original GitHub issueWhich Version of Microsoft Identity Web are you using ? Microsoft.Identity.Web - v0.1.0 Preview Microsoft.Identity.Web.UI - v0.1.0 Preview
Where is the issue?
- Web App
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (Validating tokens)
- Protected web APIs (Validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In Memory caches
- Session caches
- Distributed caches
Is this a new or existing app? c. This is a new app or experiment
Repro
Clone and run the below sample project.
Log in with an unauthorized account.
Expected behavior Unauthorized account should be redirected to /MicrosoftIdentity/Account/AccessDenied.
Actual behavior Unauthorized account is redirected to /Account/AccessDenied which doesn’t exist.
Possible Solution The Microsoft.Identity.Web.UI AccountController exists in the MicrosoftIdentity area but there doesn’t seem to be a way to provide the AccessDenied response with this route info.
I’d expect this to be configurable using something like the AccessDenied property like this but it doesn’t seem to work.
services.Configure<OpenIdConnectOptions>(options =>
{
// Use the groups claim for populating roles
options.TokenValidationParameters.RoleClaimType = "groups";
options.AccessDeniedPath = "/MicrosoftIdentity/Account/AccessDenied";
});
Possibly this is a redirect URL that should be set in the portal but it’s not obvious where this is.
A workaround is to create an account controller with the required view but this goes against the point of Microsoft.Identity.Web.UI.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Yes, seems like specifying
AccessDeniedPathonOpenIdConnectOptionsdoesn’t work.Specifying the path on
CookieAuthenticationOptionsworks:The scheme has to be the same as what is passed into
AddSignInmethod (or defaultCookieAuthenticationDefaults.AuthenticationScheme) because that is what is passed in https://github.com/AzureAD/microsoft-identity-web/blob/4458dbf15ddf494c2f3f5a27da873260bbe71040/src/Microsoft.Identity.Web/WebAppAuthenticationBuilderExtensions.cs#L82From logging we can see that when the user is unauthorized and the code above is not used, cookie and OIDC handlers fail and redirect to
/Account/AccessDenied...is done.When the above fix is used, after the handlers fail to authorize, the redirect is made to a correct page.
I looked through the ASP.NET Core repo and really the only references to
AccessDeniedPathI found were related to cookies.The default path value is in CookieAuthenticationDefaults.
If the custom path is not specified, it is set to default in PostConfigureCookieAuthenticationOptions PostConfigure.
CookieAuthenticationHandlerbuilds the URI and redirects in HandleForbiddenAsync.In 0.1.4-preview release