CODEWITHSUNDEEP
asp.net-web-api2http-response-codes
Larry Grady
Larry Grady

Reputation: 519

Web API, return 403 when /token call is not secure

We have a Web API 2 REST service. We're using the basic OWIN oAuth token authentication and we require https. We've added a RequireHttpsAttribute filter that checks and returns back a 403 HTTPS Required error when request is made with basic http.

The problem is our /token request. When we request our token we're NOT returning back the 403 error. In the Startup.Auth.cs config file we set AllowInsecureHttp=false. So this prevents users from requesting a token with an insecure call.

However, when this call is made we get a 404 Not Found error, not the 403 HTTPS Required that we want. Can anyone help me figure out how to fix this error?

I realize we're not using the RequireHttpsAttribute because this is happenign outside of the normal authentication, this is how we get the token FOR that authentication. So I'm not sure where I should be checking for the secure connection. I tried in the AuthenticationOAuthProviders class, in GrantResourceOwnersCredentials method. Before authenticating username and password I put in a check for https but I wasn't able to raise an HTTP Code error from there.

Upvotes: 1

Views: 721

Answers (1)

Federico Dipuma
Federico Dipuma

Reputation: 18265

You could try using a simple Owin middle-ware at the beginning of your Owin pipeline, instead of a Web API filter. This way you'll catch every request made to your application.

Here is a small sample:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.Use(async (ctx, next) =>
        {
            if (ctx.Request.Scheme.Equals(Uri.UriSchemeHttps))
                await next.Invoke();
            else
                ctx.Response.StatusCode = 403;
        });

        //other middlewares
        //app.UseWebApi(..)
    }
}

Upvotes: 1

Related Questions