Skip to content
This repository was archived by the owner on Dec 14, 2018. It is now read-only.

Authorize attributes/filters with criteria should not use 401 for authenticated users #634

Closed
Tratcher opened this issue Jun 6, 2014 · 3 comments
Closed

Authorize attributes/filters with criteria should not use 401 for authenticated users #634

Tratcher opened this issue Jun 6, 2014 · 3 comments
Assignees
@HaoK
Labels
1 - Ready
Milestone
1.0.0-beta4

Comments

@Tratcher
Copy link
Member

Tratcher commented Jun 6, 2014

Related:
https://katanaproject.codeplex.com/discussions/547633#post1253618
#432

Consider Authorize attributes and authorization filters that restrict with a specific criteria.
[Authorize(Roles = "Developers")]

The current and classic behavior of authorization filters and attributes is to send a 401 response if their criteria aren't met. If there is no authenticated user, this is entirely correct as it will trigger the authentication flow. However, if there is already an authenticated user, sending a 401 just puts them into an infinite authentication loop.

Possible solutions:

  • If the user used the wrong auth type, a specific challenge for the required auth type should be issued.
  • Sending a 403 (Forbidden) would inform them that they were authenticated, but they still lack the necessary permissions for the given resource. The infrastructure may choose to redirect 403s to a detailed error page.
@Tratcher Tratcher changed the title Authorize attributes/filters with criteria should use not use 401 for authenticated users Authorize attributes/filters with criteria should not use 401 for authenticated users Jun 6, 2014
@Tratcher
Copy link
Member Author

Tratcher commented Sep 2, 2014

http://stackoverflow.com/questions/25595548/using-the-mvc-authorize-attribute-with-roles-using-azure-active-directory-owin

@danroth27 danroth27 added this to the 6.0.0-rc1 milestone Oct 15, 2014
@kevinchalet kevinchalet mentioned this issue Nov 19, 2014
Closed
@yishaigalatzer
Copy link
Contributor

@HaoK @blowdart is this a thing with the new design?

@danroth27 danroth27 modified the milestones: 6.0.0-rc1, 6.0.0-beta3 Jan 15, 2015
@kevinchalet kevinchalet mentioned this issue Jan 27, 2015
Closed
@arishlabroo arishlabroo mentioned this issue Feb 2, 2015
Closed
@yishaigalatzer yishaigalatzer mentioned this issue Feb 2, 2015
Closed
@HaoK
Copy link
Member

HaoK commented Mar 3, 2015

Fixed

@HaoK HaoK closed this as completed Mar 3, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@HaoK HaoK

Labels
1 - Ready
Projects
None yet
Milestone
1.0.0-beta4
Development

No branches or pull requests
4 participants
@yishaigalatzer @Tratcher @danroth27 @HaoK