Reputation: 82291
Microsoft.AspNetCore.Authorization.AuthorizeAttribute returning 200 (OK) on failure
I have some code similar to this:
[HttpGet]
[Authorize("MyCustomPolicy")]
public string TestCall()
{
var lanId = User.GetSomeClaimOnTheUserObject() ?? "Not Found";
return "Hello From a TestCall Get Operation. Claim is " + lanId;
}
The Authorize Policy looks like this:
var myCustomPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("SomeScheme")
.Build();
options.AddPolicy("MyCustomPolicy", myCustomPolicy);
When I call it, it allows the call through if the AuthenticationScheme has been met, and blocks it if it has not (as expected).
The part that is not working is when it blocks the call, I would expect a 403 or maybe a 401 to be returned, but instead I am getting a 200 (OK) being returned.
How can I get it to return a 401 when it fails the Authorize attribute?
Upvotes: 0
Views: 561
Answers (1)
Reputation: 47
I run into the same issue and after some search in SO I found basically this AuthorizeAttribute will return the view with login page when auth fails, instead of giving 401. To solve this you might want to try this answer or based on your use case search for some other examples, but essentially the cause of the problem is the same.
Upvotes: 1
Related Questions
- Attribute Authorize always return false c#
- 403 on Succeed AuthorizationHandler aspnetcore
- AuthorizeAttribute does nothing in ASP.NET Core 3 MVC
- How can I see which AuthorizeAttribute Failed ASP.NET Core
- Authorize attribute not working with IdentityServer4 and .NET Core 3.1
- Asp.net Core MVC Authorize Attribute not blocking
- .Net Core API returns 405:Method not allowed when having Authorize attribute
- Authorize Attribute Still Passes As Successful Even If User Isn't Logged In
- ASP.NET Core 2.2 Authorization not authorizing
- Authorize attribute with policy requirement throwing: The following authentication scheme was not accepted