Search code examples
c#error-handlingasp.net-core-mvcasp.net-core-5.0

Error handling not quite working as expected

I'm still trying to master front-end development with ASP.NET Core 5 MVC - and I'm still struggling with some issues regarding error handling.

I have defined a number of roles for my app - and I use those as [Authorize(Roles="Admin")] annotation on some of my Razor pages (their "code-behind" PageModel class):

[Authorize(Roles="Admin")]
public class MyCustomPageModel : PageModel
{
    // page model code
}

I then also created a Razor page AccessDenied.cshtml in the Error folder:

enter image description here

My expectation would now be: if the user isn't authorized, or not member of that specified role, then ASP.NET Core would throw an error (http 401 - unauthorized) and go to my error page and display it.

Unfortunately - that's not what happens - instead, I get an error:

HTTP ERROR 404
No webpage was found for the web address: https://localhost:44332/Account/AccessDenied?ReturnUrl=%2FMyCustomMethod

I don't understand where that Account/ is coming from - I never defined it anywhere (to my - albeit limited - knowledge).

I also tried to specifically instruct the runtime to use the /Error pages for error handling by doing this in the Startup.Configure method (for the env.IsDevelopment() branch):

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            // app.UseDeveloperExceptionPage();
            app.UseExceptionHandler("/Error");
        }
        else
        {
            app.UseExceptionHandler("/Error");
            app.UseHsts();
        }

but that didn't change anything.....

So - what am I missing? Where's that Account/ coming from - and how can I influence this?? (e.g. replace /Account/AccessDenied with /Error/AccessDenied)

Update: I created this app with the "Microsoft Identity Platform" auth type option; I'm using OpenID Connect with JWT Bearer Tokens.

This is my set up in Startup class - ConfigureServices method:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
         .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
            
services.AddAuthorization();
Solution

  • I'm guessing you're using an application cookie as your authentication scheme (rather than e.g. JWT/bearer tokens). If not, please share your Startup.ConfigureServices to show how you set up Identity.

    If I'm correct, you should be able to configure the path that the application should redirect to in case of an HTTP status code 403 Forbidden response. 401 Unauthorized is typically when the user is not authorized at all (not logged in) as opposed to "just" not having the proper role.

    To configure the path, if you don't want the standard /Account/AccessDenied, adding the following in your Startup.ConfigureServices should work:

    services.ConfigureApplicationCookie(options =>
{
    options.AccessDeniedPath = "/Error/AccessDenied";
});

    For more info on configuring this cookie (and other Identity configuration) take a look at the Identity documentation.