Open Closed

How to return 401 unauthorized response for requests with invalid bearer token? #1390


User avatar
0
hansmogren created

Hi!

We use bearer / token authentication for a mobile app that communicates with our web api. As of now requests that do not contain a proper bearer token will get a response with http status code 302 and the location header with a value like https://example.com/Account/Login?ReturnUrl=/api/foo/bar. How can we change this behaviour and insted return a 401 “Unauthorized” response for requests that do not contain a proper bearer token?

  • ABP Framework version: v4.3.0
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace:
  • Steps to reproduce the issue:

8 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    HI

    can you share some code of your web api?

  • User Avatar
    0
    hansmogren created

    HI

    can you share some code of your web api?

    Sure, what parts would you like to see? Is there a private messaging feature on these boards?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    liming.ma@volosoft.com

  • User Avatar
    0
    hansmogren created

    Hi,

    I'm sorry I haven't been able to get back to you with source. In the meantime I'd just like to clarify what I mean.

    If I make a request to one of the built-in abp endpoints, e.g. get /api/lepton-theme-management/settings without a valid bearer token I get a 401 Unauthorized response with the body <br>

    {
      "error": {
        "code": "Volo.Authorization:010001",
        "message": "Authorization failed! Given policy has not granted.",
        "details": null,
        "data": {},
        "validationErrors": null
      }
    }
    

    <br> However if I make a request to one of our custom controllers in the same way without a valid bearer token I get a 302 Found response with the Location header value https://localhost:44327/Account/Login?ReturnUrl=%2Fapi%2Ffoo%2Fbar instead.

    What do I need to do to get a 401 Unauthorized response from our endpoints like the built-in abp endpoints?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    This is related to: https://github.com/abpframework/abp/issues/2643#issuecomment-574940166

    You can consider add [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] on your controller or method.

  • User Avatar
    0
    hansmogren created

    Thank you! I've added the attribute [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] and now the response is 401 Unauthorized. May I ask if this attribute could have any other unwanted consequences?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    May I ask if this attribute could have any other unwanted consequences?

    I don't think so.

    https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-5.0

  • User Avatar
    0
    ServiceBot created
    Support Team Automatic process manager

    This question has been automatically marked as stale because it has not had recent activity.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06