Open Closed

HTP status 302 instead of 401 #4828


User avatar
0
Frontis2 created
  • ABP Framework version: v6.0.1
  • UI type: MVC
  • DB provider: EF Core
  • Identity provider: OpenIddict
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

We're running a project, where a client is calling our ABP api. All happy flows are working as aspected.

Client details:

  • Nuxt framework (Vue) with Axios
  • Request and response example at the end of the message...

For any given reason tokens might expire. In this case, our client should get a HTTP status 401. This is not the case, it is getting a http status 302 found, whish is redirecting to a error page (= 401).

As you can see in the request, the client is sending a X-Requested-With attribute. This is a recommended solution, but not working. Reference 1 (axios Github) Reference 2 (ABP support)

For cookie authentication, there is a workaround. Reference 1 (ABP Github)

private void ConfigureRedirectStrategy(ServiceConfigurationContext context)
{
    // Without this, api calls without "X-Requested-With: XMLHttpRequest"
    // are redirected to identity server login page.
    // We want to return 401:Unauthorized instead of redirecting
    context.Services.ConfigureApplicationCookie(options =>
    options.Events.OnRedirectToAccessDenied = context =>
    {
    context.Response.Headers["Location"] = context.RedirectUri;
    context.Response.StatusCode = 401;
    return System.Threading.Tasks.Task.CompletedTask;
    });
}

As said, this will not work since the client is using Axios for requests.

Concrete question(s): Do you have any ideas how to solve thie issue (status 302 has to be a status 401)? MVC should work properly, so i guess we still have to use the "X-Requested-With: XMLHttpRequest attribute". But why is it not working?

Thanks in advance,

Request

Host: {url}
Connection: keep-alive
sec-ch-ua: "Brave";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
Authorization: Bearer ...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Origin: {url}
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: {url}
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl;q=0.8

Response

Content-Length: 0
Date: Tue, 04 Apr 2023 09:50:10 GMT
Server: Kestrel
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: {url}
Access-Control-Expose-Headers: _AbpErrorFormat
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: /Error?httpStatusCode=401
Pragma: no-cache
Set-Cookie: ARRAffinity=...
Set-Cookie: ARRAffinitySameSite=...
Vary: Origin
WWW-Authenticate: Bearer error="invalid_token", error_description="The signing key associated to the specified token was not found.", error_uri="https://documentation.openiddict.com/errors/ID2090"
Request-Context: appId=...
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN```

1 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Can you share a project that can reproduce the problem? shiwei.liang@volosoft.com

    BTW, I remember that we solved the problem: https://github.com/abpframework/abp/pull/13173

    You can check it in your project:

    private void ConfigureAuthentication(ServiceConfigurationContext context)
    {      context.Services.ForwardIdentityAuthenticationForBearer(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme);
    }
    
Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09