SimpleTokenProvider icon indicating copy to clipboard operation
SimpleTokenProvider copied to clipboard
verified publisher icon nbarbettini

404 response when not authenticated/authorized

Open sicollins opened this issue 9 years ago • 6 comments

As taken from the points raised in the comments here https://stormpath.com/blog/token-authentication-asp-net-core

If you try to make a request with in invalid or expired token the response you get is a 404 not found instead of a 403 Unauthorized.

I can get the code in your repo to do the same. If you set up in POSTman to POST /api/values/123

In headers set: Auhtorazation = Bearer +

You get a 404 not found.

In the output window I can see: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__1.MoveNext()

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:2444/Account/Login?ReturnUrl=%2Fapi%2Fvalues%2F123

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Bearer was not authenticated. Failure message: IDX10703: Unable to decode the 'header': 'eyJhbGciOiJIUzI1NiIsInR5cDI6IkpXVCJ9' as Base64url encoded string. jwtEncodedString: 'the invalid token'.

The 404 is a result of something, I'm guessing either one of these: AspNetCore.Authentication.Cookies AspNetCore.Authentication.JwtBearer trying to redirect to /Account/Login which doesn't actually exist

sicollins avatar Aug 03 '16 08:08 sicollins

I think your guess is correct. I disabled this behavior by adding the following code in Startup.ConfigureServices:

services.Configure<IdentityOptions>(o => {
    o.Cookies.ApplicationCookie.AutomaticChallenge = false;
});

PeppeL-G avatar Aug 04 '16 08:08 PeppeL-G

Good catch. It definitely should respond with 401, not 404.

I'll happily accept a PR unless I get to it first. 😄

nbarbettini avatar Aug 04 '16 16:08 nbarbettini

@PeppeL-G I'm afraid it doesn't work for me. What is exactly AutomaticChallenge and how it would fix this problem? Maybe creating a pull request fixing this in project is a good idea?

piotrek-k avatar Aug 28 '16 15:08 piotrek-k

@piotrek-k, it's poorly documented, but I assume it means redirecting 401 responses (Not Authorized) to a login page (and if that login page doesn't exists, it returns a 404 (Not Found) instead). I imagine setting it to false will prevent this behavior.

I think you need to set it to false both in the code I posted before and in your TokenValidationParameters you use in JwtBearerOptions.

PeppeL-G avatar Aug 29 '16 06:08 PeppeL-G

I've changed AutomaticChallenge to false in both UseJwtBearerAuthentication and UseCookieAuthentication and when I test it in some http client (like Postman) it works. I also wanted to test if this work when I use cookies for storing token. I created cookie called access_token with value eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJURVNUIiwianRpIjoiYThmNDQyN2UtMzkzMy00MDBkLTg3ZmQtODlkMWZiZDA1NzQ5IiwiaWF0IjoxNDcyNDYzMTAzLCJuYmYiOjE0NzI0NjMxMDMsImV4cCI6MTQ3MjQ2MzQwMywiaXNzIjoiRXhhbXBsZUlzc3VlciIsImF1ZCI6IkV4YW1wbGVBdWRpZW5jZSJ9.xhuq5vlCuFBCsO2SV_PZEhtUj9sndIx7o0oELhfyb_k. It didn't work, it says 401 unauthorized.

Is it me testing it wrong way, or something something is wrong with code?

Maybe @nbarbettini will know something.

piotrek-k avatar Aug 29 '16 09:08 piotrek-k

Oh, I only needed to support the header version, so I've never tested cookies. I'm afraid I cant help you with that.

PeppeL-G avatar Aug 29 '16 10:08 PeppeL-G