Access Denied query string too long

Question

I'm developing an Asp.Net Core application. I'm using built-in Identity for login, roles, authorization and authentication. I'm developing/testing/debugging with IIS Express on a Windows machine. When I'm logged in as a non-admin user and try to navigate to a url that only admins have access to (Authorize attribute on the whole controller), the application redirects to an access denied URL, but then I get an error message saying that the url query string is too long. Upon inspecting the url, it appears to have repeated sections. I'll try to paste it below. Should I report this as a bug, or can I change a setting to prevent it?

https://localhost:44383/Account/AccessDenied?ReturnUrl=%2FAccount%2FAccessDenied%3FReturnUrl%3D%252FAccount%252FAccessDenied%253FReturnUrl%253D%25252FAccount%25252FAccessDenied%25253FReturnUrl%25253D%2525252FAccount%2525252FAccessDenied%2525253FReturnUrl%2525253D%252525252FAccount%252525252FAccessDenied%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FAccessDenied%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FAccessDenied%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FAccessDenied%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FAccessDenied%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FAccessDenied%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FAccessDenied%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FAccessDenied%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FAccessDenied%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FAccessDenied%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FAccessDenied%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FAccessDenied%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FAccessDenied%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FAccessDenied%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAdmin%2525252525252525252525252525252525252FEditUser%2525252525252525252525252525252525252Ff61bbba3-42b5-4831-8ff1-4d92e42d5d99

Answer 1

The url you received you have an endless redirection loop, where each loops adds the url again and pass to itself.

In the default ASP.NET Core Identity templates, the AccountController is attributed with [Authorize] attribute, meaning any logged in user can access it.

The fact that you get redirected when trying to access /Account/AccessDenied route/action means the logged in use doesn't have the permission to access it.

This can happen when you use a different authentication scheme [Authorize(Scheme = "SomethingElse")] or as in your case (from your last comment) when a special group is required [Authorize(Roles = "Something")].

Even if you have some valid reason to change it on controller level, you should be able to set

[HttpGet]
[Authorize]
public IActionResult AccessDenied(string returnUrl) { ... }

To make an exception to it or use

[HttpGet]
[AllowAnonymous]
public IActionResult AccessDenied(string returnUrl) { ... }

which will allow any user to access it.