Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Redirected to AccessDenied page after successful login #1127

Closed
1 of 8 tasks
JandosHk opened this issue Apr 8, 2021 · 3 comments
Closed
1 of 8 tasks

[Bug] Redirected to AccessDenied page after successful login #1127

JandosHk opened this issue Apr 8, 2021 · 3 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists investigate
Milestone
1.11.0

Comments

@JandosHk
Copy link

JandosHk commented Apr 8, 2021
edited
Loading

Which version of Microsoft Identity Web are you using?
Microsoft.Identity.Web 1.8.2

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app?

The app is in production and I have upgraded to a new version of Microsoft Identity Web

Repro

// Startup.ConfigureServices
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
	.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddAuthentication()
	.AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"), JwtBearerDefaults.AuthenticationScheme)
	.EnableTokenAcquisitionToCallDownstreamApi()
	.AddInMemoryTokenCaches();

services.AddRazorPages()
	.AddMicrosoftIdentityUI();

// _LoginPartial.cshtml
@if (User.Identity.IsAuthenticated)
{
<div class="navbar-nav">
    <span class="navbar-text">@User.FindFirst(ClaimTypes.Surname)?.Value</span>
    <a class="nav-item nav-link" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut">Logout</a>
</div>
}
else
{
    <div class="navbar-nav">
        <a class="nav-item nav-link" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignIn">Login</a>
    </div>
}

Expected behavior
After login page is displayed I waited 15 min or so, then started login by
clicking my previous account shown on the login page.
After successful login I expected that home page be shown.

Actual behavior
Login seemed to proceed fine, but then my app is redirected to /Account/AccessDenied page.
There were 2 issues:

  1. /Account/AccessDenied page doesn't exist, so 404 is returned. Correct path is MicrosoftIdentity/Account/AccessDenied.
  2. If I manually browse to MicrosoftIdentity/Account/AccessDenied page, then I clearly see that I'm authenticated, because instead of login button I see logout button. My app is ASP.NET Core 3.1 razor pages app, and in _LoginPartial.cshtml I check
    for authentication with User.Identity.IsAuthenticated property.

Possible solution

Additional context / logs / screenshots
@jmprieur jmprieur added investigate bug Something isn't working duplicate This issue or pull request already exists labels Apr 8, 2021
@jmprieur
Copy link
Collaborator

jmprieur commented Apr 8, 2021

@JandosHk thanks for reporting.
This is a multi-scheme case, which we'll consider part of #955

@jmprieur jmprieur mentioned this issue Apr 8, 2021
Closed
@JandosHk
Copy link
Author

JandosHk commented Apr 9, 2021

I found out the issue lies in my code. I was handling OpenID Connect remote failure event, in which I was redirecting to /Account/AccessDenied. Closing this issue.

@JandosHk JandosHk closed this as completed Apr 9, 2021
@jennyf19 jennyf19 added this to the 1.11.0 milestone May 19, 2021
@jennyf19
Copy link
Collaborator

Included in 1.11.0 release and documentation here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working duplicate This issue or pull request already exists investigate
Projects
None yet
Milestone
1.11.0
Development

No branches or pull requests
3 participants
@jmprieur @jennyf19 @JandosHk