ASP NET Web API Correct way to return a 401 unauthorised response

Question

I have an MVC webapi site that uses OAuth token authentication to authenticate requests  All the relevant controllers have the right attributes  and authentication is working ok    The problem is that not all of the request can be authorised in the scope of an attribute - some authorisation checks have to be performed in code that is called by controller methods - what is the correct way to return a 401 unauthorised response in this case   I have tried throw new HttpException 401   Unauthorized access     but when I do this the response status code is 500 and I get also get a stack trace  Even in our logging DelegatingHandler we can see that the response is 500  not 401

User · Answer

You get a 500 response code because you re throwing an exception  the HttpException  which indicates some kind of server error  this is the wrong approach   Just set the response status code  e g   Response StatusCode    int HttpStatusCode Unauthorized

User · Answer

To add to an existing answer in ASP NET Core    1 0 you can   return Unauthorized     return Unauthorized object value     To pass info to the client you can do a call like this   return Unauthorized new   Ok   false  Code   Constants INVALID CREDENTIALS           On the client besides the 401 response you will have the passed data too  For example on most clients you can await response json   to get it

User · Answer

Just return the following   return Unauthorized

User · Answer

you can use follow code in asp net core 2 0   public IActionResult index          return new ContentResult     Content    My error message   StatusCode    int HttpStatusCode Unauthorized

User · Answer

You should be throwing a HttpResponseException from your API method  not HttpException   throw new HttpResponseException HttpStatusCode Unauthorized     Or  if you want to supply a custom message   var msg   new HttpResponseMessage HttpStatusCode Unauthorized    ReasonPhrase    Oops        throw new HttpResponseException msg

User · Answer

As an alternative to the other answers  you can also use this code if you want to return an IActionResult within an ASP NET controller  ASP NET  return Content HttpStatusCode Unauthorized   quot My error message quot     Update  ASP NET Core Above code does not work in ASP NET Core  you can use one of these instead   return StatusCode  int System Net HttpStatusCode Unauthorized   quot My error message quot     return StatusCode Microsoft AspNetCore Http StatusCodes Status401Unauthorized   quot My error message quot     return StatusCode 401   quot My error message quot     Apparently the reason phrase is pretty optional  Can an HTTP response omit the Reason-Phrase

User · Answer

You also follow this code      var response   new HttpResponseMessage HttpStatusCode NotFound          Content   new StringContent  Users doesn t exist   System Text Encoding UTF8   text plain          StatusCode   HttpStatusCode NotFound     throw new HttpResponseException response

User · Answer

In  Net Core You can use  return new ForbidResult      instead of   return Unauthorized      which has the advantage to redirecting to the default unauthorized page  Account AccessDenied  rather than giving a straight 401  to change the default location modify your startup cs  services AddAuthentication options   gt                   AddOpenIdConnect options   gt                   AddCookie options   gt                                options AccessDeniedPath     path unauthorized

[c#] ASP.NET Web API : Correct way to return a 401/unauthorised response

Examples related to c#

Examples related to asp.net-mvc

Examples related to authorization