microsoft-identity-web: AccessDenied page returns 404 when using MapControllerRoute

Microsoft.Identity.Web Library

Microsoft.Identity.Web.UI

Microsoft.Identity.Web version

2.5.0

Web app

Sign-in users

Web API

Not Applicable

Token cache serialization

In-memory caches

Description

In versions 2.0.2-preview and following, the AccessDenied page is not returned when requested. Instead, the app returns a 404 response.

Reproduction steps

  1. Clone the samples repo and open the project 1-WebApp-OIDC/1-1-MyOrg.
  2. Update versions of Microsoft.Identity.Web and Microsoft.Identity.Web.UI to 2.5.0 (first version which displays the bug is 2.0.2-preview)
  3. Configure appsettings.json with the required values

The following steps are just the easiest way to reproduce the error; This bug does not depend on the exact method of producing an AccessDenied redirect.

  1. Add an authorization policy which requires a role that your user doesn’t have: Startup.cs
    --- a/1-WebApp-OIDC/1-1-MyOrg/Startup.cs
+++ b/1-WebApp-OIDC/1-1-MyOrg/Startup.cs
@@ -37,6 +37,10 @@ namespace WebApp_OpenIDConnect_DotNet
             services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
             .AddMicrosoftIdentityWebApp(options => Configuration.Bind("AzureAd", options));

+            services.AddAuthorization(
+                policies => { policies.AddPolicy("p-Test", p => p.RequireClaim("roles", "TestRole")); }
+            );
+
             services.AddControllersWithViews(options =>
             {
                 var policy = new AuthorizationPolicyBuilder()
  2. Add authorization using that policy to the HomeController:
    --- a/1-WebApp-OIDC/1-1-MyOrg/Controllers/HomeController.cs
+++ b/1-WebApp-OIDC/1-1-MyOrg/Controllers/HomeController.cs
@@ -6,7 +6,7 @@ using WebApp_OpenIDConnect_DotNet.Models;

 namespace WebApp_OpenIDConnect_DotNet.Controllers
 {
-    [Authorize]
+    [Authorize(Policy = "p-Test")]
     public class HomeController : Controller
     {
         private readonly ILogger<HomeController> _logger;
  3. Start the app and open in your browser

Error message

You will be redirected to https://localhost:44321/MicrosoftIdentity/Account/AccessDenied?ReturnUrl=%2F but the page will not be found.

Id Web logs

info: Microsoft.Hosting.Lifetime[14]
      Now listening on: https://localhost:44321
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://localhost:3110
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: /Users/ejsink/src/active-directory-aspnetcore-webapp-openidconnect-v2/1-WebApp-OIDC/1-1-MyOrg
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/1.1 GET https://localhost:44321/ - -
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed. These requirements were not met:
      ClaimsAuthorizationRequirement:Claim.Type=roles and Claim.Value is one of the following values: (TestRole)
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[13]
      AuthenticationScheme: Cookies was forbidden.
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[13]
      AuthenticationScheme: OpenIdConnect was forbidden.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/1.1 GET https://localhost:44321/ - - - 302 0 - 76.8571ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/1.1 GET https://localhost:44321/MicrosoftIdentity/Account/AccessDenied?ReturnUrl=%2F - -
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/1.1 GET https://localhost:44321/MicrosoftIdentity/Account/AccessDenied?ReturnUrl=%2F - - - 404 0 - 2.0688ms

Relevant code snippets

See reproduction steps.

Regression

2.0.0-preview

Expected behavior

The AccessDenied page should be returned properly.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 1
  • Comments: 16 (8 by maintainers)

Most upvoted comments

Thanks for the repro steps, @creativebrother

+1
jmprieur on Mar 20, 2023

If I use 2.5.0 Microsoft.Identity.Web and 1.26.0 for Mircosoft.Identity.Web.UI, it seems also working. So looks like the Microsoft.Identity.Web.UI 2.5.0 is causing the issue. image

+1
creativebrother on Mar 20, 2023

@ElijahSink @creativebrother

I can repro on the sample.

I didn’t have the issue with the Microsoft.Identity.Web test apps. I got the following: image

The code I used is:

           services.AddAuthorization(
                policies => { policies.AddPolicy("p-Test", p => p.RequireClaim("roles", "TestRole")); }
                        );

            services.AddRazorPages().AddMvcOptions(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));
            }).AddMicrosoftIdentityUI();

     // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
          // more here ..

            app.UseAuthentication();
            app.UseAuthorization();

            // more here...

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapRazorPages();
+                endpoints.MapControllers();
            });
        }
+1
jmprieur on Mar 17, 2023
Read more comments on GitHub
← microsoft-authentication-library-for-objc: Microsoft login page freezes for existing users after upgrading from ADAL to MSAL
microsoft-identity-web: AccountController implementing MicrosoftIdentity/Account/xxx endpoints does not honour redirectUrl →