0

I have one question, which connected with redirecting and auth policies.

Let's have one controller, which allow Anonymous method like this:

[Route("Authorization")]
[Authorize]
public class AuthorizationController : Controller
{
    ...
    [HttpPost]
    [Route("AddUser")]
    [AllowAnonymous]
    public async Task<IActionResult> AddUser()
    {
        return await Task.Run<ActionResult>(() =>
        {
            return RedirectToAction("Post", "Proxy");
        });
    }
}

Second controller has Post method, which needs authorization

[Authorize]
public class ProxyController : Controller
{
    ...
    [HttpPost]
    public async Task Post()
    {
        var uri = new Uri(UriHelper.GetEncodedUrl(Request));
        var routedUri = NewRouteBuilder(uri);

        var client = new HttpClient();
        var response = await client.PostAsync(routedUri, new StreamContent(Request.Body));
        var content = await response.Content.ReadAsStringAsync();

        Response.StatusCode = (int)response.StatusCode;
        Response.ContentType = response.Content.Headers.ContentType?.ToString();
        Response.ContentLength = response.Content.Headers.ContentLength;

        await Response.WriteAsync(content);
    }
 }

If I use this code, I get 401 error in AuthorizationController, when I call AddUser. Both these controllers are in one project. How it's possible to redirect on action in this case (which allow pass to action only authorized users or calls from ProxyController)?

Thank you.

Dmitriy
  • 847
  • 17
  • 39
  • As you added an AllowAnonymous attribute on the AddUser Method :) – Laurent Lequenne Dec 06 '17 at 07:56
  • @Laurent Lequenne So, I want to pass without any authorization for AuthentificationController methods... – Dmitriy Dec 06 '17 at 07:58
  • @Dmitriy But even a redirect is a separate request. `RedirectToAction` will issue a 302 response with a `Location` header. The browser will then establish a new connection to the server and try to perform the ProxyController action. – ProgrammingLlama Dec 06 '17 at 08:02
  • @john Yes, and I want to find other way of redirection (not via RedirectToAction, for example)... – Dmitriy Dec 06 '17 at 08:13
  • Well, you could potentially use cookie authentication, and authenticate the user in the first method. Or you could pass some kind of one-time token with the request and use a custom authorize attribute. What are you actually trying to achieve here? – ProgrammingLlama Dec 06 '17 at 08:24
  • @john main idea - use proxy for all authorized users calls, but some calls could be proxied without authorization. – Dmitriy Dec 06 '17 at 08:27
  • Instead of a proxy controller, why not use an ActionFilterAttribute? Or if that doesn't work for what you want to do for some reason, you could derive a result type from `ActionResult` and override `ExecuteResult`. – ProgrammingLlama Dec 06 '17 at 08:39
  • @john Will actionfilter allow me create proxy analog? Could you give me an example? Thanks. – Dmitriy Dec 06 '17 at 08:39
  • @Dmitriy I'll try and sort something out for you in a couple of hours if nobody else has stepped in. – ProgrammingLlama Dec 06 '17 at 08:41
  • @john Thank you very much! – Dmitriy Dec 06 '17 at 09:03
  • @john I want to add a little. For authentification I use JWT-token based authentification. So, maybe, It's a good idea to rewrite header of incoming request for anonymous call with token I give when controller starts (own controller token)? But I can't find how to implement it correctly. ((( – Dmitriy Dec 06 '17 at 11:11
  • 1
    @Dmitriy I didn't really come up with anything that works very well, I'm afraid. It's mainly because I was trying to be too generic, but this demonstrates the general idea. I'd add it as an answer but since it doesn't work very well, I figured I best just link it via pastebin. Anyone else who needs to do similar can look up ActionFilterAttribute or how to derive from ActionResult. Anyway, [here](https://pastebin.com/83XStR6j) is the link. – ProgrammingLlama Dec 06 '17 at 15:13
  • 1
    Once you get a working solution, feel free to add it as an answer to your own question :) – ProgrammingLlama Dec 06 '17 at 15:14
  • 1
    @john Thank very much for your answer! I'll read it hard today. Hope, I'll solve my problem! – Dmitriy Dec 06 '17 at 15:21
  • 1
    @john Man, I LOVE YOU! I LOOOOOOOVEEEEE YOU!!! IT WORKS!!! So, just only one string is need to be added : proxyRequestMsg.Content = content; So, I realized proxy through ProxyActionResult. I also added authorization control and regex parsing for correct routes. You are really genious! Thank you much! – Dmitriy Dec 10 '17 at 00:34
  • @Dmitriy I'm glad I could help :) – ProgrammingLlama Dec 10 '17 at 03:13
  • @John Hehe))) Now try to add here jet token validation. But not so successfully. (( I get new token, but jet auth always pass even if I change some symbols in this token. I don't know why - I add AddAuth* and other options from examples. Maybe you could help me a little again?)) – Dmitriy Dec 10 '17 at 03:21
  • That one I don't know about, I'm afraid :) – ProgrammingLlama Dec 10 '17 at 03:24
  • @john Ah, nevermind. )) Thank you for your help again! I'll try to seek info about Token validation. – Dmitriy Dec 10 '17 at 03:25

0 Answers0