How to override HandleUnauthorizedRequest in ASP.NET Core

Question

I'm migrating my project to asp.net core and I'm stuck in migrating my CustomAuthorization attribute for my controllers. Here is my code.

public class CustomAuthorization : AuthorizeAttribute
{
    public string Url { get; set; }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new RedirectResult(Url + "?returnUrl=" + filterContext.HttpContext.Request.Url.PathAndQuery);
        }
        else if (!Roles.Split(',').Any(filterContext.HttpContext.User.IsInRole))
        {
            filterContext.Result = new ViewResult
            {
                ViewName = "AcessDenied"
            };
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

then i used it to my controllers

[CustomAuthorization(Url = "/Admin/Account/Login", Roles = "Admin")]
public abstract class AdminController : Controller { }

so, basically i can use it to redirect to different login page when roles is not met. I have few areas and each of them have different login page. I tried using the CookieAuthenticationOptions like this

services.Configure<CookieAuthenticationOptions>(options =>
{
    options.AuthenticationScheme = "Admin";
    options.LoginPath = "/Admin/Account/Login";
});

then on my admin controller

[Area("Admin")]
[Authorize(ActiveAuthenticationSchemes = "Admin", Roles = "Admin")]

but after i login, it still cant get in.

Answer 1

I am doing something similar in one of my projects. This answer is NOT using AuthorizeAttribute; but it might help some one landing here from a google search. In my case I am using it to authorize based on custom logic.

First my custom attribute class:

public class CustomAuthorizationAttribute : ActionFilterAttribute
{
    private readonly IMyDepedency _dp;
    public CustomAuthorizationAttribute(IMyDepedency dp)
    {
        _dp = dp;
    }
    public override void OnActionExecuting(ActionExecutingContext context)
    {
        var isValid = false;
       //write my validation and authorization logic here 
        if(!isValid)
        {
            var unauthResult = new UnauthorizedResult();

            context.Result = unauthResult;                
        }

        base.OnActionExecuting(context);
    }
}

I decorate my controllers like this:

[ServiceFilter(typeof (CustomAuthorizationAttribute))]

Then in my Startup class

public void ConfigureServices(IServiceCollection services)
{
     // Add framework services.
     services.AddMvc();

   // my other stuff that is not relevant in this post

     // Security
     services.AddTransient<CustomAuthorizationAttribute>();
 }