Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Flow for authenticated but unauthorized users with OIDC is broken (infinite redirect) #667

Closed
@DamianEdwards

Description

@DamianEdwards

The live.asp.net web site is configured to authenticate with OIDC (Azure AD) only (as emitted by the template during File -> New). The AdminController is configured to require authorization with a policy "Admin", which basically just asserts that the user is signed in with one of three usernames.

The issue is that anybody in the Azure AD org (microsoft.com) can sign-in to the site (authenticate), but when they try to access the protected resource (/admin) the policy fails and they're redirected back to Azure to sign-in. As they're already signed in, Azure redirects back to the originally requested resource, which fails the policy, and the loop continues forever.

The desired flow would appear to be that in the case a user is authenticated but not authorized for a resource when using OIDC, a "Forbidden" page is shown (as configured by the app, e.g. /account/forbidden) with a suitable message and a button that enables the user to sign-in as another user. The button would basically sign them out, then redirect them back to the originally requested resource, which would start the proper authentication flow again.

@Tratcher @blowdart @vibronet

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions