microsoft-identity-web: AccessDenied page returns 404 when using MapControllerRoute
Microsoft.Identity.Web Library
Microsoft.Identity.Web.UI
Microsoft.Identity.Web version
2.5.0
Web app
Sign-in users
Web API
Not Applicable
Token cache serialization
In-memory caches
Description
In versions 2.0.2-preview
and following, the AccessDenied page is not returned when requested. Instead, the app returns a 404 response.
Reproduction steps
- Clone the samples repo and open the project
1-WebApp-OIDC/1-1-MyOrg
. - Update versions of
Microsoft.Identity.Web
andMicrosoft.Identity.Web.UI
to2.5.0
(first version which displays the bug is2.0.2-preview
) - Configure
appsettings.json
with the required values
The following steps are just the easiest way to reproduce the error; This bug does not depend on the exact method of producing an AccessDenied redirect.
- Add an authorization policy which requires a role that your user doesn’t have:
Startup.cs
--- a/1-WebApp-OIDC/1-1-MyOrg/Startup.cs +++ b/1-WebApp-OIDC/1-1-MyOrg/Startup.cs @@ -37,6 +37,10 @@ namespace WebApp_OpenIDConnect_DotNet services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(options => Configuration.Bind("AzureAd", options)); + services.AddAuthorization( + policies => { policies.AddPolicy("p-Test", p => p.RequireClaim("roles", "TestRole")); } + ); + services.AddControllersWithViews(options => { var policy = new AuthorizationPolicyBuilder()
- Add authorization using that policy to the
HomeController
:--- a/1-WebApp-OIDC/1-1-MyOrg/Controllers/HomeController.cs +++ b/1-WebApp-OIDC/1-1-MyOrg/Controllers/HomeController.cs @@ -6,7 +6,7 @@ using WebApp_OpenIDConnect_DotNet.Models; namespace WebApp_OpenIDConnect_DotNet.Controllers { - [Authorize] + [Authorize(Policy = "p-Test")] public class HomeController : Controller { private readonly ILogger<HomeController> _logger;
- Start the app and open in your browser
Error message
You will be redirected to https://localhost:44321/MicrosoftIdentity/Account/AccessDenied?ReturnUrl=%2F
but the page will not be found.
Id Web logs
info: Microsoft.Hosting.Lifetime[14]
Now listening on: https://localhost:44321
info: Microsoft.Hosting.Lifetime[14]
Now listening on: http://localhost:3110
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
Content root path: /Users/ejsink/src/active-directory-aspnetcore-webapp-openidconnect-v2/1-WebApp-OIDC/1-1-MyOrg
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/1.1 GET https://localhost:44321/ - -
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
ClaimsAuthorizationRequirement:Claim.Type=roles and Claim.Value is one of the following values: (TestRole)
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[13]
AuthenticationScheme: Cookies was forbidden.
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[13]
AuthenticationScheme: OpenIdConnect was forbidden.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished HTTP/1.1 GET https://localhost:44321/ - - - 302 0 - 76.8571ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/1.1 GET https://localhost:44321/MicrosoftIdentity/Account/AccessDenied?ReturnUrl=%2F - -
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished HTTP/1.1 GET https://localhost:44321/MicrosoftIdentity/Account/AccessDenied?ReturnUrl=%2F - - - 404 0 - 2.0688ms
Relevant code snippets
See reproduction steps.
Regression
2.0.0-preview
Expected behavior
The AccessDenied page should be returned properly.
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 1
- Comments: 16 (8 by maintainers)
Thanks for the repro steps, @creativebrother
If I use 2.5.0 Microsoft.Identity.Web and 1.26.0 for Mircosoft.Identity.Web.UI, it seems also working. So looks like the Microsoft.Identity.Web.UI 2.5.0 is causing the issue.
@ElijahSink @creativebrother
I can repro on the sample.
I didn’t have the issue with the Microsoft.Identity.Web test apps. I got the following:
The code I used is: