Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.Net / ASP.NET Core Web API unauthorized requests returns 302 redirect response instead of 401

Tags:

asp.net

asp.net-mvc

asp.net-core

asp.net-web-api

asp.net-core-2.0

In ASP.Net / ASP.Net Core WebAPI,

When the client/browser tries to access a WebAPI endpoint which is decorated with [Authorized] attribute. It gets a 302-Found status code with a redirect response to the Login page, instead of 401-Unauthorized for an unauthorized request.

Note: I have noticed that Fail(AuthorizationContext context) method in AuthorizeAttribute filter sets the response code as 401-Unauthorized, but eventually browser gets a 302-Found response.

How can I send the 401 response instead of 302 ?

UPDATE: Update the question with ASP.NET Core

like image 830
Safeer Hussain Avatar asked May 23 '15 09:05

Safeer Hussain

1 Answers

Finally found the solution.

The redirection happens with the Cookie Authentication module. By default its LoginPath property is set to /Account/Login. If it is set to PathString.Empty, it will keep the status code as 401-Unauthorized without changing it to 302-Found.

Change CookieAuthenticationOptions in Startup.cs as follows:

public void ConfigureServices(IServiceCollection services)
{
    // Other configurations ...

    services.Configure<CookieAuthenticationOptions>(o =>
    {
        o.LoginPath = PathString.Empty;
    });

    // ...
}

XML documentation of LoginPath property:

The LoginPath property informs the middleware that it should change an outgoing 401 Unauthorized status code into a 302 redirection onto the given login path. The current url which generated the 401 is added to the LoginPath as a query string parameter named by the ReturnUrlParameter. Once a request to the LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back to the url which caused the original unauthorized status code.

If the LoginPath is null or empty, the middleware will not look for 401 Unauthorized status codes, and it will not redirect automatically when a login occurs.

UPDATE: As @swdon pointed out, ASP.NET Core 2.x has a different way of doing this.

Here's the accepted answer from the link 1:

As of ASP.NET Core 2.x:

services.ConfigureApplicationCookie(options =>
{
    options.Events.OnRedirectToLogin = context =>
    {
        context.Response.StatusCode = 401;    
        return Task.CompletedTask;
    };
});
like image 198
Safeer Hussain Avatar answered Nov 07 '22 11:11

Safeer Hussain
Sign in to Comment

Related questions

How to synchronize lifetime of forms authentication cookie and Asp.Net Session?
Where do I put classes when using Web Application project type of Visual Studio .NET instead of Website? (ASP.NET)
App_offline.htm, CSS, images, and aspnet_isapi.dll
Convert dd/MM/yyyy hh:mm:ss.fff from String to DateTime in C#
ASP.NET MVC 2 - ViewModel Prefix
Invalid object name 'ASPState.dbo.ASPStateTempApplications' - Exception after renaming the ASPState Database
Access asp:content from code behind
ASP.NET postbacks lose the hash in the URL
Response.Redirect with headers
asp.net UserControl properties
The Microsoft Jet database engine could not find the object 'Sheet1$'
System.Security.SecurityException?
Using ItemType for strongly typed repeater control?
ASP.NET Static classes and asp.net sessions
How can i add extra attribute fields to the asp.net dropdown list
Why is my server code ajax call returning a response wrapped in double-quotes?
C# help required to Create Facebook AppSecret_Proof HMACSHA256
How to customize error message of OAuthAuthorizationServerProvider?
ASP.NET Web API with custom authentication
502 error when generating X509Certificate2 from p12 certificate in Azure Websites for Google API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!