New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to return custom http status code while using IResourceOwnerPasswordValidator #332

Closed
avoxm opened this Issue Sep 21, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@avoxm
Copy link

avoxm commented Sep 21, 2016

I have implemented IResourceOwnerPasswordValidator for user credentials validation.

In ValidateAsync I check whether user with the provided username exists and if yes I validate the password. I need to show a user 2 different messages when user does not exist and when it exists but the password is incorrect, so I am thinking to return 2 different status codes (or any other indicator that does not rely on response message) for each case. Please see the sample code below.

public Task<CustomGrantValidationResult> ValidateAsync(string userName, string password, ValidatedTokenRequest request)
{
    var user = _repository.FindByUsername(userName);

    if (user == null)
    {
        //return 404
        return Task.FromResult(new CustomGrantValidationResult("Invalid username"));
    }

    if (IsValidPassword(password))
    {
        var result = new CustomGrantValidationResult(user.Id.ToString(), "password", user.Claims, "idsrv");
        return Task.FromResult(result);
    }

    // return 401
    return Task.FromResult(new CustomGrantValidationResult("Invalid password"));
}
@brockallen

This comment has been minimized.

Copy link
Member

brockallen commented Sep 21, 2016

The spec is clear about what status codes are expected for what conditions: https://tools.ietf.org/html/rfc6749#section-4.3.3

IIRC we added support for returning an error description... i'd have to double check.

@brockallen brockallen added the question label Sep 21, 2016

@avoxm

This comment has been minimized.

Copy link
Author

avoxm commented Sep 21, 2016

Thanks for your feedback @brockallen. What about setting http status code. Is there a way to do it. As per spec authorization server must be able to set other code than 400. How can I do it in ValidateAsync ?

@brockallen

This comment has been minimized.

Copy link
Member

brockallen commented Sep 21, 2016

We don't give you a way. You return the grant validation result and we set the appropriate status code. You can set the error description on it and we will pass that back to the client.

@avoxm

This comment has been minimized.

Copy link
Author

avoxm commented Sep 21, 2016

I guess that leaves me with only error description. Thanks

@brockallen brockallen closed this Sep 21, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment