Openiddict-core: Question: How to handle OpenIdConnectProtocolException when user denies resource access

Created on 18 Jan 2017  路  6Comments  路  Source: openiddict/openiddict-core

In the samples Mvc.Server/Mvc.Client, if the user signs on the server but denies resource access, the server returns a 500 error code and the client fails with the following message:

An unhandled exception occurred while processing the request. OpenIdConnectProtocolException: Message contains error: 'access_denied', error_description: 'The authorization grant has been denied by the resource owner.', error_uri: 'ErrorUri null'.

I read issues https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/138 and https://github.com/aspnet/Security/issues/710 and I understand this happens because UseOpenIdConnectAuthentication (unlike UseBattleNetAuthentication, mentioned in the thread for https://github.com/aspnet/Security/issues/710) does not have an option to handle remote errors.

Is my understanding correct? And, if so, what is the suggested/recommended way to handle this (in an app similar to the samples)? Thanks in advance!

question

Most helpful comment

Is my understanding correct?

Yep.

And, if so, what is the suggested/recommended way to handle this (in an app similar to the samples)?

You can use the RemoteFailure event to override the default logic:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions {
    // ...

    Events = new OpenIdConnectEvents {
        OnRemoteFailure = context => {
            context.Response.Redirect("/");
            context.HandleResponse();

            return Task.FromResult(0);
        }
    }
});

All 6 comments

Is my understanding correct?

Yep.

And, if so, what is the suggested/recommended way to handle this (in an app similar to the samples)?

You can use the RemoteFailure event to override the default logic:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions {
    // ...

    Events = new OpenIdConnectEvents {
        OnRemoteFailure = context => {
            context.Response.Redirect("/");
            context.HandleResponse();

            return Task.FromResult(0);
        }
    }
});

Perfect! Once again, thanks so much for your help!

It says "UseOpenIdConnectAuthentication" is obsolete !

In the ConfigureServices method add;

services.AddOpenIdConnect("oidc", options => {
    options.SignInScheme = "Cookies";
    options.Authority = "https://localhost:5000";
    options.RequireHttpsMetadata = false;
    options.ClientId = "mvc";
    options.SaveTokens = true;

    options.Events = new OpenIdConnectEvents {
        OnRemoteFailure = context => {
            context.Response.Redirect("/");
            context.HandleResponse();

            return Task.FromResult(0);
        }
    };
});

You will need to add the Microsoft.AspNetCore.Authentication.OpenIdConnect and System.Threading.Tasks namespaces.

What a great message thread! It's 2020 now and in case it would help someone - there is a new event available in the OpenIdProvider options (as of ASP.NET Core 3.0) specifically for the "access_denied" responses named "OnAccessDenied" (the signature and handler are the same as OnRemoteFailure). This is fantastic news because "access_denied" isn't technically a "remote failure". The docs are as follows in case you need it: https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.remoteauthenticationevents.onaccessdenied?view=aspnetcore-3.0

Thanks @timmi4sa for that suggestion. Your link seems to click to an issue board. Here are the docs for "OnAccessDenied": https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.remoteauthenticationevents.onaccessdenied?view=aspnetcore-5.0

Was this page helpful?
0 / 5 - 0 ratings