Support automatic redirect on remote failures #1165
Comments
|
There's a correlation cookie issued with each challenge to limit XRSF issues. Under some conditions this cookie gets lost before the authentication is complete. If it does the best thing that you can do is restart the auth flow. You can handle this error by hooking the RemoteFailure event. Security/samples/SocialSample/Startup.cs Lines 122 to 127 in 75a4d00 |
|
Thanks @Tratcher, as it happens quite regularly (more than 10% of registrations), I feel like I must address the issue. |
|
It seem this - or something related - is happening to me. FB seemed to be working fine. Now it's not. Works great for a Microsoft Account. I'm using Azure B2C, btw. Tried pretty much everything. Any ideas? |
|
It does risk an infinite loop, so it should include an error page that says "Something went wrong trying to log you in, click here to try again." |
|
I just tried running this is the policy section of the B2C portal. Got this: Does that help any? |
|
Thanks @Tratcher for the confirmation, I will try to handle it in the The Facebook login is a bit tricky when not everything goes well, for example if I:
|
|
I've just had an instance of this error pop-up in my server logs, and there's this SO Q/A which mentions it being something to do with clock-sync. |
|
@JeanCollas If you've logged in with the external provider but not completed the local login then you still have the External cookie. If you then restart the auth flow the facebook auth provider will see that you're already signed in and trigger AccessDenied to avoid an infinite login loop. If you want to restart the login process you need to clear the state from the prior attempt, including the external cookie. See https://github.com/aspnet/Templates/blob/c91664a01f6b429b9ff3ac17cacd906037f11b19/src/Rules/StarterWeb/IndividualAuth/Controllers/AccountController.cs#L51 |
|
@nhwilly are you still having Facebook B2C issues? There was an outage on Monday due to a Facebook API change, but that should have been resolved later that day. |
|
We should consider the following:
cc @DamianEdwards for item (2). |
|
I am getting this error: Does anyone know how to fix this?? This problem occurs when I try to log in to application with facebook account and in permissions I press cancel. |
|
@NikasZalias The middleware doesn't seem to nicely handle permission being denied by the end user, so you end up with an error page. I've worked around this by wrapping the For example: /// <summary>
/// Returns whether the specified failure context indicates the user denied account linking permission.
/// </summary>
/// <param name="context">The current failure context.</param>
/// <returns>
/// <see langword="true"/> if account linking permission was denied; otherwise <see langword="false"/>.
/// </returns>
private static bool WasPermissionDenied(FailureContext context)
{
return
string.Equals(context.Request.Query["error"].FirstOrDefault(), "access_denied", StringComparison.Ordinal) ||
string.Equals(context.Request.Query["error_reason"].FirstOrDefault(), "user_denied", StringComparison.Ordinal) ||
context.Request.Query.ContainsKey("denied");
}There might be more conditions that indicate this, but these three all handled this happening in the social login providers I use. |
|
@martincostello how to call this method in controller? because when I go to ExternalLogin action which looks like this: [HttpGet]
[AllowAnonymous]
public IActionResult ExternalLogin(string provider, string returnUrl = null)
{
var redirectUrl = Url.Action("ExternalLoginCallback", "Account", new {ReturnUrl = returnUrl});
var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
return new ChallengeResult(provider, properties);
}It redirects me to facebook permission page, and after I click cancel I get the error I wrote before and I don't know how to handle this callback.. |
|
@NikasZalias You need to hook up a handler for |
|
Handling the RemoteFailure event is the right thing to do. We should update our docs/samples to show how to handle that event and at least show a more appropriate message to the user. The error page sample could include a link to enabled the user to try logging in again. Unfortunately it's difficult to implement this event in a very generic way that's also super useful because each remote auth provider has its own behavior for different types of failures. |
|
Need to find out for each external auth provider what behavior they have when auth is cancelled. We should then handle those cases and add a feature that would redirect to a well-known (but configurable) location, which we'd have to add to the templates. E.g. |
|
Need to also see if "denied" is the same as "cancel" for the various providers. |
Eilon
changed the title
|
[Clearing the milestone for re-triage] I've investigated adding an error redirect but found that it creates an overall worse experience than the current templates. (See #1582 (comment)). We should instead document the custom error handling process. |
|
@PinpointTownes noticed this is a duplicate of #710 |
|
I am still seeing this error: Correlation failed. Therefore I don't see any pattern in them. As it does not happen every time, but very often, I have no idea on how to solve this. |
|
@JeanCollas In my case it would only happen with Facebook login when on mobile. For certain cases the window with the redirect to Facebook remained open. I'm assuming (also tested on my own device) it happened because Facebook was installed as a Web App which caused the redirect from Facebook to my app after giving my app authorization to be opened in a new window. The redirect back to my app (in the new window) would finish the login successfully and clear the Correlation cookie. If later the user opened the window with the old Facebook authorization it will redirect him again in a new window to my app but this time the login would fail because there's no longer a Correlation cookie and the Correlation cookie not found warning would be logged. Obviously I don't consider this a bug of ASP.NET. |
|
@evgrud I identified one behavior which always leads to this issue: |
|
Issue #710 was closed in favour of this one, though this one is not specifically related to "access_denied" errors. I second the need for an "easy" access_denied handling as opposed to other scenarios. I'd say access_denied is not an "exception" but rather an anticipated result from an OpenID Connect provider. Looking through code, I still (?) can't find a way to specify where should the request go in the case of "access denied" errors. What am I missing here? I figured |
|
Would be nice to use Exception.AdditionalData to have some additional key in there that has our dictionary (or data structure) or stuff that the remote provider sent us back as part of the flow. |
|
Duh, looks like we said this in https://github.com/aspnet/Security/issues/711. So, closing this because whatever we do for this would be in https://github.com/aspnet/Security/issues/711. |
From time to time when people try to log in using Facebook, I get this error, what does it mean exactly? How to handle it?
The text was updated successfully, but these errors were encountered: