New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

If a token expired, the AspNet.Security.OpenIdConnect.Server throw an 500 internal server error, can it just throw 401 Unauthorized error? #191

Closed
TonyWoo opened this Issue Dec 8, 2015 · 1 comment

Comments

2 participants
@TonyWoo
Copy link

TonyWoo commented Dec 8, 2015

If a token expired, the AspNet.Security.OpenIdConnect.Server throw an 500 internal server error.
The client will not know what happened, is it possible just throw 401 Unauthorized error? Thanks.

@PinpointTownes

This comment has been minimized.

Copy link
Member

PinpointTownes commented Dec 8, 2015

The issue you're seeing is likely caused by the JWT bearer middleware (that protects your API and validates access tokens) and not by ASOS itself.

Sadly, it's a known bug - that was not fixed for RC1 - and it's quite difficult to work around it, due to another unfixed bug in the security stack.

AFAIK, your only option is to write a middleware that catches the security exceptions thrown by the JWT bearer middleware (well, rather by the underlying library it uses: IdentityModel) and returns an appropriate 401 response:

app.Use(next => async context => {
    try {
        await next(context);
    }

    catch {
        // If the headers have already been sent, you can't replace the status code.
        // In this case, throw an exception to close the connection.
        if (context.Response.HasStarted) {
            throw;
        }

        context.Response.StatusCode = 401;
    }
});

You can also switch to the latest RC2 nightly builds, since this bug was fixed by @Tratcher recently.


Note that we'll stop using JWT tokens by default in the next beta, so the JWT bearer middleware will no longer be necessary. See #185 for more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment