Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upIf a token expired, the AspNet.Security.OpenIdConnect.Server throw an 500 internal server error, can it just throw 401 Unauthorized error? #191
Comments
PinpointTownes
added
bug
external
labels
Dec 8, 2015
This comment has been minimized.
This comment has been minimized.
|
The issue you're seeing is likely caused by the JWT bearer middleware (that protects your API and validates access tokens) and not by ASOS itself. Sadly, it's a known bug - that was not fixed for RC1 - and it's quite difficult to work around it, due to another unfixed bug in the security stack. AFAIK, your only option is to write a middleware that catches the security exceptions thrown by the JWT bearer middleware (well, rather by the underlying library it uses: IdentityModel) and returns an appropriate 401 response: app.Use(next => async context => {
try {
await next(context);
}
catch {
// If the headers have already been sent, you can't replace the status code.
// In this case, throw an exception to close the connection.
if (context.Response.HasStarted) {
throw;
}
context.Response.StatusCode = 401;
}
});You can also switch to the latest RC2 nightly builds, since this bug was fixed by @Tratcher recently. Note that we'll stop using JWT tokens by default in the next beta, so the JWT bearer middleware will no longer be necessary. See #185 for more information. |
TonyWoo commentedDec 8, 2015
If a token expired, the AspNet.Security.OpenIdConnect.Server throw an 500 internal server error.
The client will not know what happened, is it possible just throw 401 Unauthorized error? Thanks.