-
Notifications
You must be signed in to change notification settings - Fork 90
404 response when not authenticated/authorized #7
Comments
I think your guess is correct. I disabled this behavior by adding the following code in services.Configure<IdentityOptions>(o => {
o.Cookies.ApplicationCookie.AutomaticChallenge = false;
}); |
Good catch. It definitely should respond with 401, not 404. I'll happily accept a PR unless I get to it first. 😄 |
@PeppeL-G I'm afraid it doesn't work for me. What is exactly |
@piotrek-k, it's poorly documented, but I assume it means redirecting 401 responses (Not Authorized) to a login page (and if that login page doesn't exists, it returns a 404 (Not Found) instead). I imagine setting it to I think you need to set it to |
I've changed AutomaticChallenge to Is it me testing it wrong way, or something something is wrong with code? Maybe @nbarbettini will know something. |
Oh, I only needed to support the header version, so I've never tested cookies. I'm afraid I cant help you with that. |
As taken from the points raised in the comments here https://stormpath.com/blog/token-authentication-asp-net-core
If you try to make a request with in invalid or expired token the response you get is a 404 not found instead of a 403 Unauthorized.
I can get the code in your repo to do the same.
If you set up in POSTman to
POST /api/values/123
In headers set:
Auhtorazation = Bearer +
You get a 404 not found.
In the output window I can see:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__1.MoveNext()
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:2444/Account/Login?ReturnUrl=%2Fapi%2Fvalues%2F123
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Bearer was not authenticated. Failure message: IDX10703: Unable to decode the 'header': 'eyJhbGciOiJIUzI1NiIsInR5cDI6IkpXVCJ9' as Base64url encoded string. jwtEncodedString: 'the invalid token'.
The 404 is a result of something, I'm guessing either one of these:
AspNetCore.Authentication.Cookies
AspNetCore.Authentication.JwtBearer
trying to redirect to /Account/Login which doesn't actually exist
The text was updated successfully, but these errors were encountered: