Closed

How to return 401 unauthorized response for requests with invalid bearer token? #1390

hansmogren created 4 years ago

Hi!

We use bearer / token authentication for a mobile app that communicates with our web api. As of now requests that do not contain a proper bearer token will get a response with http status code 302 and the location header with a value like https://example.com/Account/Login?ReturnUrl=/api/foo/bar. How can we change this behaviour and insted return a 401 “Unauthorized” response for requests that do not contain a proper bearer token?

ABP Framework version: v4.3.0
UI type: MVC
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): no
Exception message and stack trace:
Steps to reproduce the issue:

Go to accepted answer

8 Answer(s)

0

maliming created 4 years ago
Support Team Fullstack Developer

HI

can you share some code of your web api?
0

hansmogren created 4 years ago

HI

can you share some code of your web api?

Sure, what parts would you like to see? Is there a private messaging feature on these boards?
0

maliming created 4 years ago
Support Team Fullstack Developer

hi

liming.ma@volosoft.com
0
hansmogren created 4 years ago
Hi,

I'm sorry I haven't been able to get back to you with source. In the meantime I'd just like to clarify what I mean.

If I make a request to one of the built-in abp endpoints, e.g. get /api/lepton-theme-management/settings without a valid bearer token I get a 401 Unauthorized response with the body
<br>

{ "error": { "code": "Volo.Authorization:010001", "message": "Authorization failed! Given policy has not granted.", "details": null, "data": {}, "validationErrors": null } }

<br>
However if I make a request to one of our custom controllers in the same way without a valid bearer token I get a 302 Found response with the Location header value https://localhost:44327/Account/Login?ReturnUrl=%2Fapi%2Ffoo%2Fbar instead.

What do I need to do to get a 401 Unauthorized response from our endpoints like the built-in abp endpoints?
0

maliming created 4 years ago
Support Team Fullstack Developer

hi

This is related to: https://github.com/abpframework/abp/issues/2643#issuecomment-574940166

You can consider add [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] on your controller or method.
0

hansmogren created 4 years ago

Thank you!
I've added the attribute [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] and now the response is 401 Unauthorized.
May I ask if this attribute could have any other unwanted consequences?
0

maliming created 4 years ago
Support Team Fullstack Developer

May I ask if this attribute could have any other unwanted consequences?

I don't think so.

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-5.0
0

ServiceBot created 4 years ago
Support Team Automatic process manager

This question has been automatically marked as stale because it has not had recent activity.