31

In my WebAPI project, I have number of apis which are decorated with [Authorize] attribute. 

[Authorize]
public HttpResponseMessage GetCustomers()
{
   //my api
}

In case user doesn't have the right token, an access denied exception is returned to the user.

But what I need is that in any such case, I need to return the custom response message as. 

{
  "StatusCode" : 403,
  "message": "You donot have sufficient permission"
}

How do I return this custom message in case authorization fails.

Please note:

  • I am using Owin - Token based authentication.
  • I am not storing the access token in my database or anywhere else.
Kgn-web
  • 7,047
  • 24
  • 95
  • 161
  • have a read of the answers here: http://stackoverflow.com/questions/20149750/owin-unauthorised-webapi-call-returning-login-page-rather-than-401 – Dai Bok Feb 28 '17 at 10:03
  • http://stackoverflow.com/questions/2578756/how-to-make-authorize-attribute-return-custom-403-error-page-instead-of-redirect – Thiago Custodio Feb 28 '17 at 10:44

1 Answers1

42

There are different ways to do this but one of the best way could be custom authorization attributes.You just need to inherit the AuthorizeAttribute and override HandleUnauthorizedRequest() method of it. 

public class CustomAuthorization : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
    {
        actionContext.Response = new HttpResponseMessage
        {
            StatusCode = HttpStatusCode.Forbidden,
            Content = new StringContent("You are unauthorized to access this resource")
        };
    }
}

and use this like(CustomAuthorization should be used in-place of Authorize)

    [CustomAuthorization]       
    public IHttpActionResult Get()
    {
        return Ok();
    }

Otherwise you can also catch the status code in client side and display the custom message of your choice.

MANISH KUMAR CHOUDHARY
  • 3,396
  • 3
  • 22
  • 34