All geek questions in one place

What is the default behavior associated with violation of the Authorize attribute in ASP.NET Core

What is the default behavior for breaking an Authorize attribute in ASP.NET Core?

 [Authorize(Roles = "Administrator")] public ActionResult ShutDown() { }

It seems to be redirected to /Account/AccessDenied if the user does not have sufficient permissions and /Account/Login if the user has not logged in yet.

I'm right?

I do not see anything in the documents.

+5
source share
2 answers

It depends on which authentication tool you use.

The cookie-based authentication tool by default redirects an unauthorized user to / Account / Login and an already authenticated user to / Account / AccessDenied. This behavior can be disabled by setting the AutomaticChallenge flag in the middleware option, because in this case it will simply return an HTTP 401 response when the user does not log in, or 403 when the user logs in but does not fulfill the authorization requirements.

The JWT link will only return status codes 401 or 403.

Other intermediaries may behave differently, depending on which standard they are trying to implement.

+3
source

I thought it would be helpful to keep track of the code and understand what was going on. By default, AuthenticationHandler will return 401 (failed authentication) or 403 (Forbidden). After that, depending on your project configuration, different authentication handlers will be added to the pipeline.

  • For example, when you use AddIdentity and UseIdentity , you also call UseCookieAuthentication behind the curtains, which in turn adds CookieAuthenticationMiddleware .
  • CookieAuthenticationMiddleware will replace the default handler with a CookieAuthenticationHandler , although by default the previous handler will be saved as the previous handler. Thus, handlers can decide not to participate and allow the previous handler to process the result. (It is important to understand how the AutomaticChallenge flag works)
  • CookieAuthenticationHandler redirects to AccessDeniedPath or LoginPath , which are taken from the parameters. By default, these paths are /Account/Login and /Account/AccessDenied , but they can be overridden by Identity when it calls UseCookieAuthentication . (Only LoginPath is overriden , but the same value is used).

  • You can also manually update these paths, for example:

     services.AddIdentity<ApplicationUser, IdentityRole>(opts => opts.Cookies.ApplicationCookie.LoginPath = new PathString("/Account/my-login"));

The AutomaticChallenge flag specified by @blowdart is set to true by default when Identity adds cookie authorization middleware. When you set this value to false, the cookie handler will not participate , and the previous handler will be executed, returning 401 or 403. (As the previous handler, it will be defaul by default)

 services.AddIdentity<ApplicationUser, IdentityRole>(opts => opts.Cookies.ApplicationCookie.AutomaticChallenge = false);
+2
source

Source: https://habr.com/ru/post/1258213/

More articles:


All Articles