12

I am getting up to speed on Asp.Net Identity in .NET 4.5. I setup a test app that registers, logs in, and attempts to make a call to an Api Controller that requires a Claim of "Admin":

[Authorize(Roles="Admin")]
public class WorkController : ApiController

When a request is made that does not have the Claim of "Admin", the Web Api still returns 200-OK, but with the JSON of: {Message:"Authorization has been denied for this request."}

This seems a little odd to me, since this does not represent successful request. I was expecting a 401 error. I am having trouble finding information on how to customize the response, or return a proper status code....I guess I should ask if 401 is even proper for this, or is the 200 the correct status code to use, and I should just handle it?

edit: For some reason it is now returning 401. Now I don't understand why I was getting the JSON message earlier if it was denied?

Mike_G
  • 16,237
  • 14
  • 70
  • 101

2 Answers2

2

I figured it out. I was getting the JSON message when the LoginPath for the OwinStartup class was specified.

Mike_G
  • 16,237
  • 14
  • 70
  • 101
  • 1
    I am curious why the LoginPath affects the status code. It makes no sense to me. I want 401 but why can't I specify LoginPath then? – Stilgar May 12 '14 at 12:34
  • @Stilgar I wonder too. My guess is the nature of WebApi vs MVC. Maybe when the LoginPath is specified WebApi is guessing you want to know that stuff and returns a message instead of an error. – Mike_G Jun 18 '14 at 15:36
  • 6
    I've just been scratching my head on this one, and came across this StackOverflow post: http://stackoverflow.com/questions/20149750/unauthorised-webapi-call-returning-login-page-rather-than-401, and this Brock Allen article: http://brockallen.com/2013/10/27/using-cookie-authentication-middleware-with-web-api-and-401-response-codes/ - it seems that it's an unusual behaviour, but there's a workaround for it in the article. – Andrew Trevers Aug 06 '14 at 15:18
  • Can you explain in more detail how you fixed the problem and why the LoginPath causes the problem? I can't figure it out from your response. Thanks. – rollsch Dec 17 '16 at 05:08
  • This link explains it quite well and also provides a solution https://brockallen.com/2013/10/27/using-cookie-authentication-middleware-with-web-api-and-401-response-codes/ – rollsch Dec 17 '16 at 05:25
1

The article referred to above is correct, however I think it doesn't cover the case where the API is being called by a 3rd party application rather than as an ajax request (Testing query["X-Requested-With"] etc).

This is my preference:

in Startup.Configuration() or Startup.ConfigureAuth():

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/LogOn"),
    Provider = new CookieAuthenticationProvider
    {
        OnApplyRedirect = ctx =>
        {
            if (!IsApiRequest(ctx.Request))
            {
                ctx.Response.Redirect(ctx.RedirectUri);
            }
        }
    }
});

private bool IsApiRequest(IOwinRequest request)
{
    return request.Uri.AbsolutePath.StartsWith("/api");
}
Michael Ribbons
  • 1,753
  • 1
  • 16
  • 26