Identity Server 4: 401 instead of redirect for specific controllers

2
votes

I'm adding a couple of controllers to my Identity Server 4 asp.net core mvc app. To be clear, I have added these to the IdentityProvider app (which I use for SSO), not a client app.

When I send a request to my endpoint (ex. GET sso.app.com/api/users) and I'm not authenticated, I get redirected to my login page, otherwise it works just fine. I would like to intercept the redirect and have the controller return a 401 Unauthorized instead.

I've explored using a policy for the Authorize header, but that only gives me a pass/fail based on an already authenticated user, so I don't have enough control there. I read on another similar SO question that the aspnet core team doesn't want devs to extend the Authorize header, but use policies instead.

I poked around and didn't find any obvious options for this when adding the service in Startup either. Are there any options that let me set behavior for specific paths/endpoints such as '/api'?

1
asp.net-coreidentityserver4
So you have three apps here? Identity Server, some Identity Provider (IDP) with the API, and a client? Or are you referring to Identity Server as the IDP (which is fine, sometimes it is, sometimes it isn't)? But if I understand your setup, the redirect to login should receive the API endpoint as the return URL. Just inspect that in your login controller and return a 401 if the URL matches the endpoints that you want to block. I don't think you can do interception elsewhere inside Identity Server.McGuireV10
You are correct. I didn't think to do that. I guess there's no way to keep the redirect from happening in the first place. Your solution should work fine for now. Thanks! (If you put your comment as an answer, I'll mark it correct)SeanM
Thanks, copied. And you're right, the only way to prevent the redirect would be to manage auth "by hand" (preventing or issuing calls to things like ChallengeAsync) which is a lot of work compared to using attributes. OIDC is all about redirects...McGuireV10

1 Answers

0
votes

Comment copied to an answer:

So you have three apps here? Identity Server, some Identity Provider (IDP) with the API, and a client? Or are you referring to Identity Server as the IDP (which is fine, sometimes it is, sometimes it isn't)?

But if I understand your setup, the redirect to login should receive the API endpoint as the return URL. Just inspect that in your login controller and return a 401 if the URL matches the endpoints that you want to block.

I don't think you can do interception elsewhere inside Identity Server.