Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Customize OWIN/OAuth HTTP status code when rejecting a token request

Tags:

c#

.net

http

oauth

owin

I've derived OAuthAuthorizationServerProvider in order to validate both clients and resource owners.

When I validate resource owners I find their credentials aren't valid, I call context.Rejected(), and HTTP response comes with HTTP/400 Bad Request status code while I would expect HTTP/401 Unauthorized.

How can I customize OAuthAuthorizationServerProvider's response HTTP status codes?

like image 495
Matías Fidemraizer Avatar asked May 13 '15 18:05

Matías Fidemraizer

1 Answers

This is how we override the OwinMiddleware...first we created our own middleware on top of Owin...I think we had similar issue as you did.

First need to create a constant:

public class Constants
{
    public const string OwinChallengeFlag = "X-Challenge";
}

And we override the OwinMiddleware

public class AuthenticationMiddleware : OwinMiddleware
{
    public AuthenticationMiddleware(OwinMiddleware next) : base(next) { }

    public override async Task Invoke(IOwinContext context)
    {
        await Next.Invoke(context);

        if (context.Response.StatusCode == 400 && context.Response.Headers.ContainsKey(Constants.OwinChallengeFlag))
        {
            var headerValues = context.Response.Headers.GetValues(Constants.OwinChallengeFlag);
            context.Response.StatusCode = Convert.ToInt16(headerValues.FirstOrDefault());
            context.Response.Headers.Remove(Constants.OwinChallengeFlag);
        }

    }
}

In the startup.Auth file, we allowed the overrid of the Invoke Owin Commands

public void ConfigureAuth(IAppBuilder app)
    ....
        app.Use<AuthenticationMiddleware>(); //Allows override of Invoke OWIN commands
    ....

    }

And in the ApplicationOAuthProvider, we modified the GrantResourceOwnerCredentials.

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        using (UserManager<IdentityUser> userManager = _userManagerFactory())
        {
            IdentityUser user = await userManager.FindAsync(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");
                context.Response.Headers.Add(Constants.OwinChallengeFlag, new[] { ((int)HttpStatusCode.Unauthorized).ToString() }); //Little trick to get this to throw 401, refer to AuthenticationMiddleware for more
                //return;
            }
            ....
like image 122
Greg P Avatar answered Nov 08 '22 01:11

Greg P
Sign in to Comment

Related questions

Trying to understand how to create fluent interfaces, and when to use them
Use money type in Entity Framework model first
Using RazorEngine to parse Razor templates concurrently
When to use volatile to counteract compiler optimizations in C#
Calculate checksum for Laboratory Information System (LIS) frames
Delivery Notification in SMTP
Notify Icon for Window Service
Access session data from another thread
Should each project being signed with a separate Strong Name Key (.snk)?
Serving large files with C# HttpListener
Prevent self closing tags in XmlSerializer when no data is present
Simple Injector: Registering a type with constructor argument that's based on its parent
Redirect to Action by parameter mvc
Strategies for Class/Schema aware test data generation for Data Driven Tests
Column abc does not belong to table?
Why can't we add static methods to enums? [duplicate]
System.FormatException' occurred in MongoDB.Bson.dll - XXX is not a valid 24 digit hex string
Two equal IPv6 IPAddress instances return different GetHashCode results
How to get text from parent element and exclude text from children (C# Selenium)
Configuration String with Null DefaultValue

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!