Ryan Buening
Reputation: 1660
How do I return a 401 status instead of a 302 redirect after cookie has expired?
I'm using cookie authentication without Identity and the following Nuget packages:
<PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.5" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.WsFederation" Version="2.0.3" />
I'm setting a short timeout on my cookie and wanting my API calls to return a 401 status instead of a 302 redirect when the cookie has expired. My ConfigureServices looks like the following:
public void ConfigureServices(IServiceCollection services)
{
services.AddTransient<IRestService, RestService>();
services.AddDataProtection()
.SetApplicationName("AspNetCookieShare")
.PersistKeysToFileSystem(new DirectoryInfo(Configuration["DataProtectionKeyDirectory"]));
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddWsFederation(options =>
{
options.Wtrealm = Configuration["Wtrealm"];
options.MetadataAddress = "http://example.com/metadata.xml";
options.SkipUnrecognizedRequests = true;
options.RequireHttpsMetadata = false;
options.UseTokenLifetime = false;
})
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromSeconds(10);
options.Cookie.Expiration = TimeSpan.FromSeconds(10);
options.Cookie.Name = "AspNetShared";
options.Cookie.Path = "/";
options.Events.OnRedirectToLogin = context =>
{
context.Response.StatusCode = 401;
return Task.CompletedTask;
};
});
services.AddMvc();
}
I'm using OnRedirectToLogin, however, I'm still getting 302 response and not a 401 after the cookie has expired:
What am I doing wrong?
Upvotes: 4
Views: 2480
Answers (2)
VictorNS
Reputation: 19
Tested for TargetFramework = net6.0
builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
...
options.EventsType = typeof(CustomCookieAuthenticationEvents);
});
builder.Services.AddSingleton<CustomCookieAuthenticationEvents>();
public class CustomCookieAuthenticationEvents : CookieAuthenticationEvents
{
public override Task RedirectToLogin(RedirectContext<CookieAuthenticationOptions> context)
{
context.Response.StatusCode = 401;
return Task.CompletedTask;
}
public override Task RedirectToAccessDenied(RedirectContext<CookieAuthenticationOptions> context)
{
context.Response.StatusCode = 403;
return Task.CompletedTask;
}
}
Upvotes: 2
Ryan Buening
Reputation: 1660
I changed my services.AddWsFederation() to the following and it appears to be working:
.AddWsFederation(options =>
{
options.Wtrealm = Configuration["Wtrealm"];
options.MetadataAddress = "http://example.com/metadata.xml";
options.SkipUnrecognizedRequests = true;
options.RequireHttpsMetadata = false;
options.UseTokenLifetime = false;
options.Events.OnRedirectToIdentityProvider = context =>
{
context.Response.StatusCode = 401;
context.HandleResponse();
return Task.CompletedTask;
};
})
Upvotes: 4
Related Questions
- How to return 401 instead of 302 in ASP.NET Core?
- ASP.NET Mvc Api: Set cookie then 302/303 Redirect loses the cookie
- Return 401 instead of redirecting identityserver
- When using an API route, return Http Response 401 instead of redirect to login page when not authorised
- Rejecting an otherwise successful ws-federation login in a CookieAuthenticationProvider()
- How to response status 401 on ASP.NET 5 ASP.NET Identity 3.0 RC1
- Authorize redirect 401 not working
- Web api 302 status redirect
- Asp.net mvc [Authorize] attribute will return http 302 instead of http 401 if the authorization fail
- In Asp.Net MVC 2 is there a better way to return 401 status codes without getting an auth redirect