ASP.Net core MVC6 Redirect to Login when not authorised

10,213

Solution 1

I was just wrestling with this myself and I've come to the conclusion that there seems to be an issue in the latest version of the "Microsoft.AspNetCore.Identity.EntityFrameworkCore" dependency.

I was originally using version 1.1.0 but after lots of debugging, owin middleware logging etc, I came to the conclusion that I wasn't doing anything wrong. I checked:

  • Authorize attribute worked and blocked the request
  • Added event handlers (OnRedirectToLogin) as below to verify the redirect URL (this was only for debugging)

    options.Cookies.ApplicationCookie.Events = new CookieAuthenticationEvents
    { 
        OnRedirectToLogin = evt => {
            evt.Response.Redirect(evt.RedirectUri); // this url is correct, but the redirect never happens!??
            return Task.FromResult(0);
        }
    };     
    

The resolution: I rolled back my package to the version 1.0.1 and then the redirects kicked in as expected - to the URL defined in Startup.cs in the LoginPath setting

options.Cookies.ApplicationCookie.LoginPath = new PathString("/Auth/Login");

To clarify, THIS version works: Microsoft.AspNetCore.Identity.EntityFrameworkCore": "1.0.1"

I'm going to raise a bug with the ASPNETCORE team for investigation as regards to the 1.1.0 version.

Solution 2

OK, as of Asp.Net Core 2.1 . In order to redirect user to login page. this is what you need to do in ConfigureServices(IserviceCollection services) method.

services.ConfigureApplicationCookie(options =>
{
    options.LoginPath = "/Identity/Account/Login";
    options.SlidingExpiration = true;
});

for more info visit Microsoft identity documentation. https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-2.1#cookie-settings

Solution 3

Same problem here. A quick fix while this problem is solved:

public class LogInRequiredFilter : IAuthorizationFilter 
{
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        if (!AttributeManager.HasAttribute(context, typeof(LogInRequired))) return;

        if (context.HttpContext.User.Identity.IsAuthenticated) return;

        context.Result = new RedirectResult("/login?ReturnUrl=" + Uri.EscapeDataString(context.HttpContext.Request.Path));
    }

}

public class LogInRequired : Attribute
{
    public LogInRequired()
    {

    }
}

And then in your controller:

    [HttpGet, LogInRequired]
    public IActionResult 
        return View();
    }

This will redirect you to your login page and afterwards it redirects you to the original page you wanted to access.

Attribute manager code:

public static Boolean HasAttribute(AuthorizationFilterContext context, Type targetAttribute)
    {
        var hasAttribute = false;
        var controllerActionDescriptor = context.ActionDescriptor as ControllerActionDescriptor;
        if (controllerActionDescriptor != null)
        {
            hasAttribute = controllerActionDescriptor
                                            .MethodInfo
                                            .GetCustomAttributes(targetAttribute, false).Any();
        }

        return hasAttribute;
    }
Share:
10,213
Mike U
Author by

Mike U

Updated on June 14, 2022

Comments

  • Mike U
    Mike U over 1 year

    I am using ASP.Net core MVC 6, I am trying to get the user redirected to the login page if they are not authenticated.

    I cant seem to get it to work, currently the user just gets a blank page.

    Below is my ConfigureServices method in Startup.cs

            public void ConfigureServices(IServiceCollection services) {
            // Add framework services.
            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"))
            );
    
            services.AddIdentity<ApplicationUser, IdentityRole>(options => {
                // configure identity options
                options.Password.RequireDigit = true;
                options.Password.RequireLowercase = true;
                options.Password.RequireUppercase = true;
                options.Password.RequireNonAlphanumeric = true;
                options.Password.RequiredLength = 7;
    
                options.Cookies.ApplicationCookie.AutomaticAuthenticate = true;
                options.Cookies.ApplicationCookie.AutomaticChallenge = true;
                options.Cookies.ApplicationCookie.LoginPath = "/Account/Login";
    
                // User settings
                options.User.RequireUniqueEmail = true;
            })
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultTokenProviders();
    
            services.AddMvc();
    
            // Add application services.
            services.AddTransient<IEmailSender, AuthMessageSender>();
            services.AddTransient<ISmsSender, AuthMessageSender>();
        }
    
  • Rob
    Rob about 6 years
    Where does AttributeManager come from? Is there a different library for this?
  • Mariano Soto
    Mariano Soto about 6 years
    Sorry for the delay. It's a custom class that checks if an action has an attribute. Answer has been updated
  • Mocas
    Mocas over 3 years
    I am still unable to get the user directed to the login page if not logged in. I tried adding the above code in the main Startup.cs and also in IdentityHostingStartup.cs, neither would work. What am I missing? BTW, I am using Core 3.1
  • Mocas
    Mocas over 3 years
    I am still unable to get the user directed to the login page if not logged in. I tried adding the above code in the main Startup.cs and also in IdentityHostingStartup.cs, neither would work. What am I missing? BTW, I am using Core 3.1
  • Ben
    Ben over 2 years
    Thanks. Be sure to change the LoginPath if you've previously changed the login url. For me, I had to change the path from "/Identity/Account/Login" to "/login"