Skip to content

Cookie authentication OnRedirectToAccessDenied set statuscode don't work #13229

New issue
New issue
Closed
Closed
Cookie authentication OnRedirectToAccessDenied set statuscode don't work#13229
Labels
area-authIncludes: Authn, Authz, OAuth, OIDC, Bearer
@findmoon

Description

@findmoon
findmoon
opened on Aug 18, 2019

Cookieauthentication,I add OnRedirectToAccessDenied Event and modify status to 403 ,and Although executed this event,but it still response 200 and AccessDeny page。How to make 403 statuscode work?

OnRedirectToLogin Event response 401 is ok,so I confused

.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,options=> {
    #region 
    ////options.LoginPath //似乎无效
    //options.AccessDeniedPath = "/Account/AccessDenied";
    
    options.Events.OnRedirectToLogin = context =>
    {
        if (context.Request.Path.StartsWithSegments("/api", StringComparison.OrdinalIgnoreCase))
        {
            if (context.Response.StatusCode == StatusCodes.Status200OK)
            {
                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
            }
        }                    
        return Task.CompletedTask;
    };

    options.Events.OnRedirectToAccessDenied = context =>
    {
        if (context.Request.Path.StartsWithSegments("/api", StringComparison.OrdinalIgnoreCase))
        {
            if (context.Response.StatusCode == StatusCodes.Status200OK)
            {
                context.Response.Headers["Location"] = context.RedirectUri;
                context.Response.StatusCode = StatusCodes.Status403Forbidden;
            }
        }
        return Task.CompletedTask;
    };
    #endregion
})

image

If I try rewrite response,it will throw InvalidOperationException as follow:

options.Events.OnRedirectToAccessDenied = context =>
        {
            if (context.Request.Path.StartsWithSegments("/api", StringComparison.OrdinalIgnoreCase))
            {
                if (context.Response.StatusCode == StatusCodes.Status200OK)
                {
                    context.Response.Headers["Location"] = context.RedirectUri;
                    context.Response.StatusCode = StatusCodes.Status403Forbidden;
                    context.Response.WriteAsync("error code" + StatusCodes.Status403Forbidden, new System.Threading.CancellationToken());
                }
            }
            return Task.CompletedTask;
        };

Exception:

fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
      An unhandled exception has occurred while executing the request.
System.InvalidOperationException: StatusCode cannot be set because the response has already started.

How Can I get a Correct 403,and way this is invalid??can help me,vary thanks!!
The environment is ASP.Net Core 2.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-authIncludes: Authn, Authz, OAuth, OIDC, Bearer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions