I'm still trying to master front-end development with ASP.NET Core 5 MVC - and I'm still struggling with some issues regarding error handling.
I have defined a number of roles for my app - and I use those as [Authorize(Roles="Admin")]
annotation on some of my Razor pages (their "code-behind" PageModel class):
[Authorize(Roles="Admin")]
public class MyCustomPageModel : PageModel
{
// page model code
}
I then also created a Razor page AccessDenied.cshtml
in the Error
folder:
My expectation would now be: if the user isn't authorized, or not member of that specified role, then ASP.NET Core would throw an error (http 401 - unauthorized) and go to my error page and display it.
Unfortunately - that's not what happens - instead, I get an error:
HTTP ERROR 404
No webpage was found for the web address: https://localhost:44332/Account/AccessDenied?ReturnUrl=/MyCustomMethod
I don't understand where that Account/
is coming from - I never defined it anywhere (to my - albeit limited - knowledge).
I also tried to specifically instruct the runtime to use the /Error
pages for error handling by doing this in the Startup.Configure
method (for the env.IsDevelopment()
branch):
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
// app.UseDeveloperExceptionPage();
app.UseExceptionHandler("/Error");
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
but that didn't change anything.....
So - what am I missing? Where's that Account/
coming from - and how can I influence this?? (e.g. replace /Account/AccessDenied
with /Error/AccessDenied
)
Update: I created this app with the "Microsoft Identity Platform" auth type option; I'm using OpenID Connect with JWT Bearer Tokens.
This is my set up in Startup
class - ConfigureServices
method:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddAuthorization();
@Xerillio - you were really close - I found this while searching yet again, somewhere on the interwebs - and this works and does exactly what I'm looking for:
services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.AccessDeniedPath = new PathString("/Error/AccessDenied");
});
CodePudding user response:
I'm guessing you're using an application cookie as your authentication scheme (rather than e.g. JWT/bearer tokens). If not, please share your Startup.ConfigureServices
to show how you set up Identity.
If I'm correct, you should be able to configure the path that the application should redirect to in case of an HTTP status code 403 Forbidden response. 401 Unauthorized is typically when the user is not authorized at all (not logged in) as opposed to "just" not having the proper role.
To configure the path, if you don't want the standard /Account/AccessDenied
, adding the following in your Startup.ConfigureServices
should work:
services.ConfigureApplicationCookie(options =>
{
options.AccessDeniedPath = "/Error/AccessDenied";
});
For more info on configuring this cookie (and other Identity configuration) take a look at the Identity documentation.