In the samples Mvc.Server/Mvc.Client, if the user signs on the server but denies resource access, the server returns a 500 error code and the client fails with the following message:
An unhandled exception occurred while processing the request.
OpenIdConnectProtocolException: Message contains error: 'access_denied', error_description: 'The authorization grant has been denied by the resource owner.', error_uri: 'ErrorUri null'.
I read issues https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/138 and https://github.com/aspnet/Security/issues/710 and I understand this happens because UseOpenIdConnectAuthentication (unlike UseBattleNetAuthentication, mentioned in the thread for https://github.com/aspnet/Security/issues/710) does not have an option to handle remote errors.
Is my understanding correct? And, if so, what is the suggested/recommended way to handle this (in an app similar to the samples)? Thanks in advance!
Is my understanding correct?
Yep.
And, if so, what is the suggested/recommended way to handle this (in an app similar to the samples)?
You can use the RemoteFailure event to override the default logic:
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions {
// ...
Events = new OpenIdConnectEvents {
OnRemoteFailure = context => {
context.Response.Redirect("/");
context.HandleResponse();
return Task.FromResult(0);
}
}
});
Perfect! Once again, thanks so much for your help!
It says "UseOpenIdConnectAuthentication" is obsolete !
In the ConfigureServices method add;
services.AddOpenIdConnect("oidc", options => {
options.SignInScheme = "Cookies";
options.Authority = "https://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.SaveTokens = true;
options.Events = new OpenIdConnectEvents {
OnRemoteFailure = context => {
context.Response.Redirect("/");
context.HandleResponse();
return Task.FromResult(0);
}
};
});
You will need to add the Microsoft.AspNetCore.Authentication.OpenIdConnect and System.Threading.Tasks namespaces.
What a great message thread! It's 2020 now and in case it would help someone - there is a new event available in the OpenIdProvider options (as of ASP.NET Core 3.0) specifically for the "access_denied" responses named "OnAccessDenied" (the signature and handler are the same as OnRemoteFailure). This is fantastic news because "access_denied" isn't technically a "remote failure". The docs are as follows in case you need it: https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.remoteauthenticationevents.onaccessdenied?view=aspnetcore-3.0
Thanks @timmi4sa for that suggestion. Your link seems to click to an issue board. Here are the docs for "OnAccessDenied": https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.remoteauthenticationevents.onaccessdenied?view=aspnetcore-5.0
Most helpful comment
Yep.
You can use the
RemoteFailureevent to override the default logic: