Aspnetcore: AccessDeniedPath wrong

Created on 14 Jan 2019 · 16Comments · Source: dotnet/aspnetcore

Describe the bug

https://localhost:5001/Account/AccessDenied?ReturnUrl=%2FPrivacy

To Reproduce

Steps to reproduce the behavior:

New ASP.Net Core 2.2 Web Application
Add package
<PackageReference Include="Microsoft.AspNetCore.Authentication.AzureADB2C.UI" Version="2.2.0" />
Authorize Privacy.cshtml.cs

    [Authorize(Roles = "myb2capp-power-user")]
    public class PrivacyModel : PageModel

configure "AzureAdB2C" in appsettings.json
F5 to run
click Privacy
got 404
> No webpage was found for the web address: https://localhost:5001/Account/AccessDenied?ReturnUrl=%2FPrivacy
> HTTP ERROR 404

Expected behavior

shoule redirect to

https://localhost:5001/AzureADB2C/Account/AccessDenied?ReturnUrl=%2FPrivacy

Workaround

    services.Configure<CookieAuthenticationOptions>(AzureADB2CDefaults.CookieScheme, options => {
            options.AccessDeniedPath = "/AzureADB2C/Account/AccessDenied";
    });

Findings

When using github code "AzureADB2CSample" project for debugging

internal class CookieOptionsConfiguration : IConfigureNamedOptions<CookieAuthenticationOptions>{
        private string GetAzureADB2CScheme(string name)
        { //name = "AzureADB2CCookie"
        }
}

Done area-security bug

Source

JipingWang

All 16 comments

Hmm, that should have already been configured here:
https://github.com/aspnet/AspNetCore/blob/c7d63649005c4c2863b34794994eef57595e7bb7/src/AADIntegration/src/Microsoft.AspNetCore.Authentication.AzureADB2C.UI/CookieOptionsConfiguration.cs#L31

Tratcher on 16 Jan 2019

@Tratcher , I've fixed it. Could you review the PR? It's just one word change.

JipingWang on 17 Jan 2019

In my project, the AccessDeniedPath redirects to http instead of https. How do I set it to redirect to https.

ankitgupta2k19 on 24 Jan 2019

@ankitgupta2k19 that's usually caused by an incorrect proxy configuration. See https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer.

Tratcher on 24 Jan 2019

cc @Eilon. We'll need to see if this matches patch bar.

muratg on 24 Jan 2019

different issues. #6669 fixing a clear wrong coding variable name, which always causes 404 for a common condition. @muratg

JipingWang on 25 Jan 2019

👍1

@muratg - do we have a mail thread on this?

Eilon on 28 Jan 2019

@Eilon We don't have a thread.

I'm not too familiar with AzureADB2C so I don't have a sense of this wrt the bar.

muratg on 28 Jan 2019

@mkArtakMSFT / @javiercn - maybe one of you can start a thread so we can discuss?

Eilon on 28 Jan 2019

@Eilon Sure, let me gather all the details today and I'll start a thread

javiercn on 29 Jan 2019

@javiercn - our memories are fuzzy. What's the latest on this?

Eilon on 7 Feb 2019

@Eilon We were deciding where to patch or not. In any case, I'm going to be fixing it on the 3.0 branch. There would be people that could have worked around it and we wanted to avoid breaking those people.

For them to be broken they would have to do services.Configure<CookieAuthenticationOptions>(AzureADB2CDefaults.CookieScheme, o => o.AccessDeniedPath = "<<Path>>") before they called
services.AddAuthentication() .AddAzureADB2C();

If they did it after services.AddAuthentication().AddAzureADB2C(); then they will continue to override it and won't be broken.

The problem is that they can have gone ahead a put a view/endpoint on that path in order to workaround it, instead of setting the cookie options, so we can't know. I would say however that it should be low risk as it would have required to get into the guts of the code to figure out and not that many people would have done so. But this is all guessing. If you are not confident, we can avoid patching it as there's an easy workaround.

So to summarize:

Fix it in 3.0 (I'm going to fix a couple of other nuisances along with it all in a batch, will use the contributor commit as part of the 3.0 work so that is not in vain)
IMO I wouldn't patch because it has an easy workaround and we could potentially break people. How many of those people, I don't know, but we usually err on the safe side.

Does that sound good?

javiercn on 8 Feb 2019

@javiercn I think that's reasonable. Can you make sure all the relevant issues/PRs/whatever are cleaned up to reflect this?

Eilon on 8 Feb 2019

Yep

javiercn on 8 Feb 2019

@javiercn - any update? Clock is ticking for preview 3.

Eilon on 14 Feb 2019

We said we weren’t patching for this as it could break people who worked around it and has a trivial workaround.

Sent from Outlook

From: Eilon Lipton notifications@github.com
Sent: Thursday, February 14, 2019 2:53:13 PM
To: aspnet/AspNetCore
Cc: Javier Calvarro Nelson; Mention
Subject: Re: [aspnet/AspNetCore] AccessDeniedPath wrong (#6669)

@javiercnhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjaviercn&data=02%7C01%7Cjacalvar%40microsoft.com%7C3317f896f4b0486783f108d692cf334a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636857815945566982&sdata=Q0r6fJinY6weMhTcTrekhIQwH5jdSVTHSfl45G553A0%3D&reserved=0 - any update? Clock is ticking for preview 3.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faspnet%2FAspNetCore%2Fissues%2F6669%23issuecomment-463835360&data=02%7C01%7Cjacalvar%40microsoft.com%7C3317f896f4b0486783f108d692cf334a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636857815945566982&sdata=SlV%2FdV9f%2F9KbVD1uHCnJtBhv%2Bhi0p%2BLdcmcoHyM7Y9Q%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAGq8a6oyDpd6vDXSyNn_ZIlo5F_yGH9oks5vNejZgaJpZM4Z_DwA&data=02%7C01%7Cjacalvar%40microsoft.com%7C3317f896f4b0486783f108d692cf334a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636857815945576973&sdata=QSt9uFeN%2BPeo0BGABXgJP4nihvL8uQWGFLXBElFbQiw%3D&reserved=0.

javiercn on 15 Feb 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings