I'm adding a couple of controllers to my Identity Server 4 asp.net core mvc app. To be clear, I have added these to the IdentityProvider app (which I use for SSO), not a client app.
When I send a request to my endpoint (ex. GET sso.app.com/api/users) and I'm not authenticated, I get redirected to my login page, otherwise it works just fine. I would like to intercept the redirect and have the controller return a 401 Unauthorized instead.
I've explored using a policy for the Authorize header, but that only gives me a pass/fail based on an already authenticated user, so I don't have enough control there. I read on another similar SO question that the aspnet core team doesn't want devs to extend the Authorize header, but use policies instead.
I poked around and didn't find any obvious options for this when adding the service in Startup either. Are there any options that let me set behavior for specific paths/endpoints such as '/api'?
ChallengeAsync
) which is a lot of work compared to using attributes. OIDC is all about redirects... – McGuireV10