Skip to content
This repository has been archived by the owner on Apr 27, 2023. It is now read-only.

404 response when not authenticated/authorized #7

Open
sicollins opened this issue Aug 3, 2016 · 6 comments
Open

404 response when not authenticated/authorized #7

sicollins opened this issue Aug 3, 2016 · 6 comments

Comments

@sicollins
Copy link

sicollins commented Aug 3, 2016

As taken from the points raised in the comments here https://stormpath.com/blog/token-authentication-asp-net-core

If you try to make a request with in invalid or expired token the response you get is a 404 not found instead of a 403 Unauthorized.

I can get the code in your repo to do the same.
If you set up in POSTman to
POST /api/values/123

In headers set:
Auhtorazation = Bearer +

You get a 404 not found.

In the output window I can see:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__1.MoveNext()

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:2444/Account/Login?ReturnUrl=%2Fapi%2Fvalues%2F123

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware:Information: Bearer was not authenticated. Failure message: IDX10703: Unable to decode the 'header': 'eyJhbGciOiJIUzI1NiIsInR5cDI6IkpXVCJ9' as Base64url encoded string. jwtEncodedString: 'the invalid token'.

The 404 is a result of something, I'm guessing either one of these:
AspNetCore.Authentication.Cookies
AspNetCore.Authentication.JwtBearer
trying to redirect to /Account/Login which doesn't actually exist

@PeppeL-G
Copy link

PeppeL-G commented Aug 4, 2016

I think your guess is correct. I disabled this behavior by adding the following code in Startup.ConfigureServices:

services.Configure<IdentityOptions>(o => {
    o.Cookies.ApplicationCookie.AutomaticChallenge = false;
});

@nbarbettini
Copy link
Owner

Good catch. It definitely should respond with 401, not 404.

I'll happily accept a PR unless I get to it first. 😄

@piotrek-k
Copy link

@PeppeL-G I'm afraid it doesn't work for me. What is exactly AutomaticChallenge and how it would fix this problem? Maybe creating a pull request fixing this in project is a good idea?

@PeppeL-G
Copy link

@piotrek-k, it's poorly documented, but I assume it means redirecting 401 responses (Not Authorized) to a login page (and if that login page doesn't exists, it returns a 404 (Not Found) instead). I imagine setting it to false will prevent this behavior.

I think you need to set it to false both in the code I posted before and in your TokenValidationParameters you use in JwtBearerOptions.

@piotrek-k
Copy link

piotrek-k commented Aug 29, 2016

I've changed AutomaticChallenge to false in both UseJwtBearerAuthentication and UseCookieAuthentication and when I test it in some http client (like Postman) it works.
I also wanted to test if this work when I use cookies for storing token. I created cookie called access_token with value eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJURVNUIiwianRpIjoiYThmNDQyN2UtMzkzMy00MDBkLTg3ZmQtODlkMWZiZDA1NzQ5IiwiaWF0IjoxNDcyNDYzMTAzLCJuYmYiOjE0NzI0NjMxMDMsImV4cCI6MTQ3MjQ2MzQwMywiaXNzIjoiRXhhbXBsZUlzc3VlciIsImF1ZCI6IkV4YW1wbGVBdWRpZW5jZSJ9.xhuq5vlCuFBCsO2SV_PZEhtUj9sndIx7o0oELhfyb_k. It didn't work, it says 401 unauthorized.

Is it me testing it wrong way, or something something is wrong with code?

Maybe @nbarbettini will know something.

@PeppeL-G
Copy link

Oh, I only needed to support the header version, so I've never tested cookies. I'm afraid I cant help you with that.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants