How to return 401 unauthorized response for requests with invalid bearer token? #1390 | Support

hansmogren created 3 years ago

Hi!

We use bearer / token authentication for a mobile app that communicates with our web api. As of now requests that do not contain a proper bearer token will get a response with http status code 302 and the location header with a value like https://example.com/Account/Login?ReturnUrl=/api/foo/bar. How can we change this behaviour and insted return a 401 “Unauthorized” response for requests that do not contain a proper bearer token?

ABP Framework version: v4.3.0
UI type: MVC
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): no
Exception message and stack trace:
Steps to reproduce the issue:

Go to accepted answer

8 Answer(s)

0

maliming created 3 years ago
Support Team Fullstack Developer

HI

can you share some code of your web api?
0

hansmogren created 3 years ago

HI

can you share some code of your web api?

Sure, what parts would you like to see? Is there a private messaging feature on these boards?
0

maliming created 3 years ago
Support Team Fullstack Developer

hi

liming.ma@volosoft.com
0
hansmogren created 3 years ago
Hi,

I'm sorry I haven't been able to get back to you with source. In the meantime I'd just like to clarify what I mean.

If I make a request to one of the built-in abp endpoints, e.g. get /api/lepton-theme-management/settings without a valid bearer token I get a 401 Unauthorized response with the body <br>

{ "error": { "code": "Volo.Authorization:010001", "message": "Authorization failed! Given policy has not granted.", "details": null, "data": {}, "validationErrors": null } }

<br> However if I make a request to one of our custom controllers in the same way without a valid bearer token I get a 302 Found response with the Location header value https://localhost:44327/Account/Login?ReturnUrl=%2Fapi%2Ffoo%2Fbar instead.

What do I need to do to get a 401 Unauthorized response from our endpoints like the built-in abp endpoints?
0

maliming created 3 years ago
Support Team Fullstack Developer

hi

This is related to: https://github.com/abpframework/abp/issues/2643#issuecomment-574940166

You can consider add [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] on your controller or method.
0

hansmogren created 3 years ago

Thank you! I've added the attribute [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] and now the response is 401 Unauthorized. May I ask if this attribute could have any other unwanted consequences?
0

maliming created 3 years ago
Support Team Fullstack Developer

May I ask if this attribute could have any other unwanted consequences?

I don't think so.

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-5.0
0

ServiceBot created 3 years ago
Support Team Automatic process manager

This question has been automatically marked as stale because it has not had recent activity.

Have an answer to this question? Log in and write your answer.