SyntaxFix

[c#] ASP.NET Web API : Correct way to return a 401/unauthorised response

I have an MVC webapi site that uses OAuth/token authentication to authenticate requests. All the relevant controllers have the right attributes, and authentication is working ok.

The problem is that not all of the request can be authorised in the scope of an attribute - some authorisation checks have to be performed in code that is called by controller methods - what is the correct way to return a 401 unauthorised response in this case?

I have tried throw new HttpException(401, "Unauthorized access");, but when I do this the response status code is 500 and I get also get a stack trace. Even in our logging DelegatingHandler we can see that the response is 500, not 401.

This question is related to c# asp.net-mvc authorization

The answer is

In .Net Core You can use

return new ForbidResult();

instead of 

return Unauthorized();

which has the advantage to redirecting to the default unauthorized page (Account/AccessDenied) rather than giving a straight 401

to change the default location modify your startup.cs

services.AddAuthentication(options =>...)
            .AddOpenIdConnect(options =>...)
            .AddCookie(options =>
            {
                options.AccessDeniedPath = "/path/unauthorized";

            })

Just return the following:

return Unauthorized();

To add to an existing answer in ASP.NET Core >= 1.0 you can 

return Unauthorized();

return Unauthorized(object value);

To pass info to the client you can do a call like this:

return Unauthorized(new { Ok = false, Code = Constants.INVALID_CREDENTIALS, ...});

On the client besides the 401 response you will have the passed data too. For example on most clients you can await response.json() to get it.

You get a 500 response code because you're throwing an exception (the HttpException) which indicates some kind of server error, this is the wrong approach.

Just set the response status code .e.g 

Response.StatusCode = (int)HttpStatusCode.Unauthorized;

You also follow this code: 

var response = new HttpResponseMessage(HttpStatusCode.NotFound)
{
      Content = new StringContent("Users doesn't exist", System.Text.Encoding.UTF8, "text/plain"),
      StatusCode = HttpStatusCode.NotFound
 }
 throw new HttpResponseException(response);

you can use follow code in asp.net core 2.0:

public IActionResult index()
{
     return new ContentResult() { Content = "My error message", StatusCode = (int)HttpStatusCode.Unauthorized };
}

As an alternative to the other answers, you can also use this code if you want to return an IActionResult within an ASP.NET controller.

ASP.NET

 return Content(HttpStatusCode.Unauthorized, "My error message");

Update: ASP.NET Core

Above code does not work in ASP.NET Core, you can use one of these instead:

 return StatusCode((int)System.Net.HttpStatusCode.Unauthorized, "My error message");
 return StatusCode(Microsoft.AspNetCore.Http.StatusCodes.Status401Unauthorized, "My error message");
 return StatusCode(401, "My error message");

Apparently the reason phrase is pretty optional (Can an HTTP response omit the Reason-Phrase?)

Source: Stackoverflow.com

Examples related to c#

How can I convert this one line of ActionScript to C#? Microsoft Advertising SDK doesn't deliverer ads How to use a global array in C#? How to correctly write async method? C# - insert values from file into two arrays Uploading into folder in FTP? Are these methods thread safe? dotnet ef not found in .NET Core 3 HTTP Error 500.30 - ANCM In-Process Start Failure Best way to "push" into C# array

Examples related to asp.net-mvc

Using Lato fonts in my css (@font-face) Better solution without exluding fields from Binding Vue.js get selected option on @change You must add a reference to assembly 'netstandard, Version=2.0.0.0 How to send json data in POST request using C# VS 2017 Metadata file '.dll could not be found The default XML namespace of the project must be the MSBuild XML namespace How to create roles in ASP.NET Core and assign them to users? The model item passed into the dictionary is of type .. but this dictionary requires a model item of type How to use npm with ASP.NET Core

Examples related to authorization

How to send custom headers with requests in Swagger UI? How do you create a custom AuthorizeAttribute in ASP.NET Core? ASP.NET Web API : Correct way to return a 401/unauthorised response How to get http headers in flask? How to define the basic HTTP authentication using cURL correctly? basic authorization command for curl MongoDB "root" user How to use basic authorization in PHP curl How to get user name using Windows authentication in asp.net? Python requests library how to pass Authorization header with single token

Tags

Getselection Crypt Cbitmap Jboss-tools Eruby Openser Google-gauges Easymock Bitstring Tinn-r Large-data-volumes Jsp Microtime Bytearrayoutputstream Http-unit Keynotfoundexception Data-mining Green-threads Noclassdeffounderror Jquery-ui-draggable Shared Textctrl Pscustomobject Ant-contrib Load-path Unspecified Android-build Tiff Usebean Dedicated-hosting Nstablecolumn Pharo Necklaces Hmac Labeled-statements Ruby-1.9.2 Pleasewait Text-justify Messagewindow Variable-length N-ary-tree Cucumber Django-piston Webpage Parse-url Autoexpect Tdatetime Sp-msforeachdb Server-administration Activedirectorymembership Libavcodec Advantage-database-server Page-caching Eventual-consistency Pushpin Viewstub Perwebrequest Tombstoning Copying Gnu-smalltalk Rssi Nsfilehandle Termcap Filesystem-access Touch-typing Ldd Analysis Epm Whoosh Backticks Cls-compliant Clrdump Dialing Mysql-error-1005 Grid-system Arpack Nativewindow Recording Device-name Term Memory-address Drupal-themes Dbx Tiger Resolutions Mixed-radix Ora-06550 Recaptcha Scalate Cmdlets Irc Rad-controls Webm Jquery-resizable Sessionstate-timeout Cocoahttpserver Mysource Type-mismatch G360 Word-template