CODEWITHSUNDEEP
authenticationopenid-connectasp.net-core-webapiopeniddict
Geekn
Geekn

Reputation: 2882

Openiddict returning 404 instead of 401 for unauthorized web api calls (core 2.0)

I've setup openiddict in a .net core 2.0 web api and have the code and password flows working. I have test cases to ensure locked down actions in the API get refused when the requestor is not authorized which looks for a 401 status code.

When these tests run, the response is 404 not found instead of 401 which makes my test fail. I know the route is correct, because it returns 200 when it allows anonymous. I'm getting 404 whenever I try to access any action that is locked down without authentication. Is this the default status for openiddict when you try to access an resource without being authenticated? This behavior occurs whether its ran from the browser, from postman, or from the test case. How do I configure it to return 401? I have provided my configuration below. 

services.AddOpenIddict<int>(options =>
{
    options.AddEntityFrameworkCoreStores<ApplicationContext>();
    options.AddMvcBinders();
    options.EnableAuthorizationEndpoint("/connect/authorize");
    options.EnableTokenEndpoint("/connect/token");
    options.AllowAuthorizationCodeFlow();
    options.AllowPasswordFlow();
    options.AllowRefreshTokenFlow();
    options.RequireClientIdentification();
    options.SetAccessTokenLifetime(TimeSpan.FromMinutes(1));
    options.SetRefreshTokenLifetime(TimeSpan.FromMinutes(20160));
    options.DisableHttpsRequirement();
 });
services.AddAuthentication()
    .AddFacebook(o => { o.ClientId = settings.FacebookAppID; o.ClientSecret = settings.FacebookAppSecret; })
    .AddOAuthValidation();

Upvotes: 0

Views: 2427

Answers (1)

Geekn
Geekn

Reputation: 2882

I was able to get the desired 401 by specifying the default challenge to oauth. Would still be nice to know where it was trying to redirect to.

services.AddAuthentication(o =>
    {
        o.DefaultAuthenticateScheme = OAuthValidationDefaults.AuthenticationScheme;
        o.DefaultChallengeScheme = OAuthValidationDefaults.AuthenticationScheme;
    })
    .AddFacebook(o => { o.ClientId = settings.FacebookAppID; o.ClientSecret = settings.FacebookAppSecret; })
    .AddOAuthValidation();

Upvotes: 5

Related Questions