- ABP Framework version: v6.0.1
- UI type: MVC
- DB provider: EF Core
- Identity provider: OpenIddict
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace:
- Steps to reproduce the issue:"
We're running a project, where a client is calling our ABP api. All happy flows are working as aspected.
Client details:
- Nuxt framework (Vue) with Axios
- Request and response example at the end of the message...
For any given reason tokens might expire. In this case, our client should get a HTTP status 401. This is not the case, it is getting a http status 302 found, whish is redirecting to a error page (= 401).
As you can see in the request, the client is sending a X-Requested-With attribute. This is a recommended solution, but not working. Reference 1 (axios Github) Reference 2 (ABP support)
For cookie authentication, there is a workaround. Reference 1 (ABP Github)
private void ConfigureRedirectStrategy(ServiceConfigurationContext context)
{
// Without this, api calls without "X-Requested-With: XMLHttpRequest"
// are redirected to identity server login page.
// We want to return 401:Unauthorized instead of redirecting
context.Services.ConfigureApplicationCookie(options =>
options.Events.OnRedirectToAccessDenied = context =>
{
context.Response.Headers["Location"] = context.RedirectUri;
context.Response.StatusCode = 401;
return System.Threading.Tasks.Task.CompletedTask;
});
}
As said, this will not work since the client is using Axios for requests.
Concrete question(s): Do you have any ideas how to solve thie issue (status 302 has to be a status 401)? MVC should work properly, so i guess we still have to use the "X-Requested-With: XMLHttpRequest attribute". But why is it not working?
Thanks in advance,
Request
Host: {url}
Connection: keep-alive
sec-ch-ua: "Brave";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
Authorization: Bearer ...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Origin: {url}
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: {url}
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl;q=0.8
Response
Content-Length: 0
Date: Tue, 04 Apr 2023 09:50:10 GMT
Server: Kestrel
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: {url}
Access-Control-Expose-Headers: _AbpErrorFormat
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: /Error?httpStatusCode=401
Pragma: no-cache
Set-Cookie: ARRAffinity=...
Set-Cookie: ARRAffinitySameSite=...
Vary: Origin
WWW-Authenticate: Bearer error="invalid_token", error_description="The signing key associated to the specified token was not found.", error_uri="https://documentation.openiddict.com/errors/ID2090"
Request-Context: appId=...
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN```
1 Answer(s)
-
0
Hi,
Can you share a project that can reproduce the problem? shiwei.liang@volosoft.com
BTW, I remember that we solved the problem: https://github.com/abpframework/abp/pull/13173
You can check it in your project:
private void ConfigureAuthentication(ServiceConfigurationContext context) { context.Services.ForwardIdentityAuthenticationForBearer(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme); }
