Menu
There are two method on AuthenticationManager class, ForbidAsync() and ChallengeAsync(), I know that I can execute HttpContext.Authentication.ForbidAsync or return a result of type ForbidResult in my controller and it has the same effect, same is true for ChallengeAsync. But it seems that they produce the same result:
public ForbidResult ForbidResult()
{
return Forbid();
}
public ChallengeResult ChallengeResult()
{
return Challenge();
}
There are not much documentation on the use of them or any example at this point, I was wondering how and why to use them.
Update: By the way, I complied my research in this area to an article by the name of Asp.Net Core Action Results Explained.
618
A challenge result should generally be used in cases where the current visitor is not logged in, but is trying to access an action that requires an authenticated user. It will prompt a challenge for credentials. It could also be used for an authenticated user, who is not authorised for the action, and where you want to prompt for higher privileged credentials.
A forbid result should be used in cases where the current visitor is logged in as a user in your system, but is trying to access an action that their account does not have permission to perform.
With the standard ASP.NET Core CookieAuthentication added by Identity, default paths are set to handle each case and the user gets redirected.
By default... Access denied - i.e. forbidden looks to redirect to /Account/AccessDenied Unauthenticated - i.e. challenge looks to redirect to /Account/Login
Without redirection, forbidden will return a 403 status code, challenge will return a 401.
In your case, as redirects are occurring as specified in the default options, you're seeing the 302 found status codes instead.
I've not looked deep into code around this, but that's my general understanding.
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
