Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Question: How to handle OpenIdConnectProtocolException when user denies resource access

See original GitHub issue

In the samples Mvc.Server/Mvc.Client, if the user signs on the server but denies resource access, the server returns a 500 error code and the client fails with the following message:

An unhandled exception occurred while processing the request. OpenIdConnectProtocolException: Message contains error: 'access_denied', error_description: 'The authorization grant has been denied by the resource owner.', error_uri: 'ErrorUri null'.

I read issues https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/138 and https://github.com/aspnet/Security/issues/710 and I understand this happens because UseOpenIdConnectAuthentication (unlike UseBattleNetAuthentication, mentioned in the thread for https://github.com/aspnet/Security/issues/710) does not have an option to handle remote errors.

Is my understanding correct? And, if so, what is the suggested/recommended way to handle this (in an app similar to the samples)? Thanks in advance!

Issue Analytics

State:
Created 7 years ago
Reactions:1
Comments:7 (1 by maintainers)

Top GitHub Comments

23reactions

kevinchaletcommented, Jan 18, 2017

Is my understanding correct?

Yep.

And, if so, what is the suggested/recommended way to handle this (in an app similar to the samples)?

You can use the RemoteFailure event to override the default logic:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions {
    // ...

    Events = new OpenIdConnectEvents {
        OnRemoteFailure = context => {
            context.Response.Redirect("/");
            context.HandleResponse();

            return Task.FromResult(0);
        }
    }
});

11reactions

timmi4sacommented, Dec 11, 2020

What a great message thread! It’s 2020 now and in case it would help someone - there is a new event available in the OpenIdProvider options (as of ASP.NET Core 3.0) specifically for the “access_denied” responses named “OnAccessDenied” (the signature and handler are the same as OnRemoteFailure). This is fantastic news because “access_denied” isn’t technically a “remote failure”. The docs are as follows in case you need it: https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.remoteauthenticationevents.onaccessdenied?view=aspnetcore-3.0