Mixing
How to check access_denied on client when using IdentityServer4?
I have a login page, and I need when the user clicks Cancel button to redirect him to access denied page on a client application.
Inside login action:
if (button != "login")
{
// the user clicked the "cancel" button
var context = await interaction.GetAuthorizationContextAsync(model.ReturnUrl);
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await interaction.GrantConsentAsync(context, ConsentResponse.Denied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return Redirect(model.ReturnUrl);
}
}
and on the client-side(MVC) I have configured the following event:
options.Events = new OpenIdConnectEvents
{
OnRemoteFailure = context =>
{
// here it's returned as 200 ok in case I denied
// consent should'nt be 401 access denined??
var statusCode=context.Response.StatusCode;
context.Response.Redirect("/");
context.HandleResponse();
return Task.FromResult(0);
}
};
But my question is: how do I know that the IdentityServer4 has failed because the user clicked the Cancel button(access_denied) or if there is another issue caused that failure?
c# identityserver4 oidc
asked Nov 21 '18 at 9:05
Simple CodeSimple Code
466219
add a comment |
I have a login page, and I need when the user clicks Cancel button to redirect him to access denied page on a client application.
Inside login action:
if (button != "login")
{
// the user clicked the "cancel" button
var context = await interaction.GetAuthorizationContextAsync(model.ReturnUrl);
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await interaction.GrantConsentAsync(context, ConsentResponse.Denied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return Redirect(model.ReturnUrl);
}
}
and on the client-side(MVC) I have configured the following event:
options.Events = new OpenIdConnectEvents
{
OnRemoteFailure = context =>
{
// here it's returned as 200 ok in case I denied
// consent should'nt be 401 access denined??
var statusCode=context.Response.StatusCode;
context.Response.Redirect("/");
context.HandleResponse();
return Task.FromResult(0);
}
};
But my question is: how do I know that the IdentityServer4 has failed because the user clicked the Cancel button(access_denied) or if there is another issue caused that failure?
c# identityserver4 oidc
asked Nov 21 '18 at 9:05
Simple CodeSimple Code
466219
add a comment |
I have a login page, and I need when the user clicks Cancel button to redirect him to access denied page on a client application.
Inside login action:
if (button != "login")
{
// the user clicked the "cancel" button
var context = await interaction.GetAuthorizationContextAsync(model.ReturnUrl);
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await interaction.GrantConsentAsync(context, ConsentResponse.Denied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return Redirect(model.ReturnUrl);
}
}
and on the client-side(MVC) I have configured the following event:
options.Events = new OpenIdConnectEvents
{
OnRemoteFailure = context =>
{
// here it's returned as 200 ok in case I denied
// consent should'nt be 401 access denined??
var statusCode=context.Response.StatusCode;
context.Response.Redirect("/");
context.HandleResponse();
return Task.FromResult(0);
}
};
But my question is: how do I know that the IdentityServer4 has failed because the user clicked the Cancel button(access_denied) or if there is another issue caused that failure?
c# identityserver4 oidc
asked Nov 21 '18 at 9:05
Simple CodeSimple Code
466219
I have a login page, and I need when the user clicks Cancel button to redirect him to access denied page on a client application.
Inside login action:
if (button != "login")
{
// the user clicked the "cancel" button
var context = await interaction.GetAuthorizationContextAsync(model.ReturnUrl);
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await interaction.GrantConsentAsync(context, ConsentResponse.Denied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return Redirect(model.ReturnUrl);
}
}
and on the client-side(MVC) I have configured the following event:
options.Events = new OpenIdConnectEvents
{
OnRemoteFailure = context =>
{
// here it's returned as 200 ok in case I denied
// consent should'nt be 401 access denined??
var statusCode=context.Response.StatusCode;
context.Response.Redirect("/");
context.HandleResponse();
return Task.FromResult(0);
}
};
But my question is: how do I know that the IdentityServer4 has failed because the user clicked the Cancel button(access_denied) or if there is another issue caused that failure?
c# identityserver4 oidc
c# identityserver4 oidc
asked Nov 21 '18 at 9:05
Simple CodeSimple Code
466219
asked Nov 21 '18 at 9:05
Simple CodeSimple Code
466219
edited Nov 21 '18 at 9:11
Simple Code
asked Nov 21 '18 at 9:05
Simple CodeSimple Code
466219
asked Nov 21 '18 at 9:05
Simple CodeSimple Code
466219
asked Nov 21 '18 at 9:05
Simple CodeSimple Code
466219
466219
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
On the IdentityServer side:
The basic form has 2 buttons: login and cancel. If login is not pressed; it's a cancel.
Otherwise its a validation error and you can show it. On cancel you should redirect back to a page that makes sense.
On the MVC side:
You can redirect with extra parameters. These can be fetched and used to display the error. Keep in mind that a lot of error handling, like invalid username/passord stays at the IdentityServer side.
answered Nov 21 '18 at 9:08
StefanStefan
8,41873760
But how to know whether IdentityServer4 failed because of access denied or another issue(unhandled exception) so I can redirect the user to right page with the right error?
– Simple Code
Nov 21 '18 at 9:13
Sorry, I didn't fully understood you. Unhandled exception should stay on the identityserver part. TheConsentResponse.Deniedshould be in the content I guess.
– Stefan
Nov 21 '18 at 9:16
1
As for the 401 part: I think you have a valid point there, but I am not sure how the pipeline would react on such a status code. It might imply a redirect back, or a 401 page.
– Stefan
Nov 21 '18 at 9:20
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53408511%2fhow-to-check-access-denied-on-client-when-using-identityserver4%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
On the IdentityServer side:
The basic form has 2 buttons: login and cancel. If login is not pressed; it's a cancel.
Otherwise its a validation error and you can show it. On cancel you should redirect back to a page that makes sense.
On the MVC side:
You can redirect with extra parameters. These can be fetched and used to display the error. Keep in mind that a lot of error handling, like invalid username/passord stays at the IdentityServer side.
answered Nov 21 '18 at 9:08
StefanStefan
8,41873760
But how to know whether IdentityServer4 failed because of access denied or another issue(unhandled exception) so I can redirect the user to right page with the right error?
– Simple Code
Nov 21 '18 at 9:13
Sorry, I didn't fully understood you. Unhandled exception should stay on the identityserver part. TheConsentResponse.Deniedshould be in the content I guess.
– Stefan
Nov 21 '18 at 9:16
1
As for the 401 part: I think you have a valid point there, but I am not sure how the pipeline would react on such a status code. It might imply a redirect back, or a 401 page.
– Stefan
Nov 21 '18 at 9:20
add a comment |
On the IdentityServer side:
The basic form has 2 buttons: login and cancel. If login is not pressed; it's a cancel.
Otherwise its a validation error and you can show it. On cancel you should redirect back to a page that makes sense.
On the MVC side:
You can redirect with extra parameters. These can be fetched and used to display the error. Keep in mind that a lot of error handling, like invalid username/passord stays at the IdentityServer side.
answered Nov 21 '18 at 9:08
StefanStefan
8,41873760
But how to know whether IdentityServer4 failed because of access denied or another issue(unhandled exception) so I can redirect the user to right page with the right error?
– Simple Code
Nov 21 '18 at 9:13
Sorry, I didn't fully understood you. Unhandled exception should stay on the identityserver part. TheConsentResponse.Deniedshould be in the content I guess.
– Stefan
Nov 21 '18 at 9:16
1
As for the 401 part: I think you have a valid point there, but I am not sure how the pipeline would react on such a status code. It might imply a redirect back, or a 401 page.
– Stefan
Nov 21 '18 at 9:20
add a comment |
On the IdentityServer side:
The basic form has 2 buttons: login and cancel. If login is not pressed; it's a cancel.
Otherwise its a validation error and you can show it. On cancel you should redirect back to a page that makes sense.
On the MVC side:
You can redirect with extra parameters. These can be fetched and used to display the error. Keep in mind that a lot of error handling, like invalid username/passord stays at the IdentityServer side.
answered Nov 21 '18 at 9:08
StefanStefan
8,41873760
On the IdentityServer side:
The basic form has 2 buttons: login and cancel. If login is not pressed; it's a cancel.
Otherwise its a validation error and you can show it. On cancel you should redirect back to a page that makes sense.
On the MVC side:
You can redirect with extra parameters. These can be fetched and used to display the error. Keep in mind that a lot of error handling, like invalid username/passord stays at the IdentityServer side.
answered Nov 21 '18 at 9:08
StefanStefan
8,41873760
answered Nov 21 '18 at 9:08
StefanStefan
8,41873760
answered Nov 21 '18 at 9:08
StefanStefan
8,41873760
answered Nov 21 '18 at 9:08
StefanStefan
8,41873760
8,41873760
But how to know whether IdentityServer4 failed because of access denied or another issue(unhandled exception) so I can redirect the user to right page with the right error?
– Simple Code
Nov 21 '18 at 9:13
Sorry, I didn't fully understood you. Unhandled exception should stay on the identityserver part. TheConsentResponse.Deniedshould be in the content I guess.
– Stefan
Nov 21 '18 at 9:16
1
As for the 401 part: I think you have a valid point there, but I am not sure how the pipeline would react on such a status code. It might imply a redirect back, or a 401 page.
– Stefan
Nov 21 '18 at 9:20
add a comment |
But how to know whether IdentityServer4 failed because of access denied or another issue(unhandled exception) so I can redirect the user to right page with the right error?
– Simple Code
Nov 21 '18 at 9:13
Sorry, I didn't fully understood you. Unhandled exception should stay on the identityserver part. TheConsentResponse.Deniedshould be in the content I guess.
– Stefan
Nov 21 '18 at 9:16
1
As for the 401 part: I think you have a valid point there, but I am not sure how the pipeline would react on such a status code. It might imply a redirect back, or a 401 page.
– Stefan
Nov 21 '18 at 9:20
But how to know whether IdentityServer4 failed because of access denied or another issue(unhandled exception) so I can redirect the user to right page with the right error?
– Simple Code
Nov 21 '18 at 9:13
But how to know whether IdentityServer4 failed because of access denied or another issue(unhandled exception) so I can redirect the user to right page with the right error?
– Simple Code
Nov 21 '18 at 9:13
Sorry, I didn't fully understood you. Unhandled exception should stay on the identityserver part. The
ConsentResponse.Denied should be in the content I guess.– Stefan
Nov 21 '18 at 9:16
Sorry, I didn't fully understood you. Unhandled exception should stay on the identityserver part. The
ConsentResponse.Denied should be in the content I guess.– Stefan
Nov 21 '18 at 9:16
1
1
As for the 401 part: I think you have a valid point there, but I am not sure how the pipeline would react on such a status code. It might imply a redirect back, or a 401 page.
– Stefan
Nov 21 '18 at 9:20
As for the 401 part: I think you have a valid point there, but I am not sure how the pipeline would react on such a status code. It might imply a redirect back, or a 401 page.
– Stefan
Nov 21 '18 at 9:20
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53408511%2fhow-to-check-access-denied-on-client-when-using-identityserver4%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
