search

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.27k stars 600 forks source link

Exception on cancelled external login #1824

Closed TareqNewazShahriar closed 6 years ago

TareqNewazShahriar commented 6 years ago

Internal Server Error occurred when external (facebook) login is canceled and facebook redirects to the source application. That means, you clicked on Facebook external login button and then canceled it by clicking on "Not Now" button. Facebook redirects back to your application (https://localhost:port/signin-facebook?...); and then voila -- exception.

An unhandled exception occurred while processing the request. Exception: access_denied;Description=Permissions error Unknown location

Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()

enter image description here

When facebook authentication is getting prepared by the Asp.net Core system from Startup.cs class, 'https://.../signin-facebook' route will be generated automatically by the Facebook authentication provider, as described in the Microsoft docs and Github/aspnet:

If I hit "https://localhost:port/signin-facebook" directly without any query-string, it shows this exception: The OAuth state was missing or invalid. enter image description here

But expected behavior is - it will be redirected to the default login page.

Here's the startup.cs snippet:

services.ConfigureApplicationCookie(options => options.LoginPath = "/Account/LogIn");
services
    .AddAuthentication(o => o.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.LoginPath = "/Account/Login";
        options.LogoutPath = "/Account/Logout";
    });

services.AddAuthentication()
    .AddFacebook(o =>
    {   
        o.AppId = Configuration.GetValue<string>("Facebook:AppId");
        o.AppSecret = Configuration.GetValue<string>("Facebook:AppSecret");
    });

I configured a custom callbackpath (as descripted in microsoft doc), but same exception.

So..., what's going on? What was the problem? And what's the solution?

FYI, I'm not accessing DB from the application and using default IdentityDbContext with .UseModel() and cookie authentication using HttpContext.SigninAsync. Everything's fine when external login is completed instead of canceling.

Tratcher commented 6 years ago

Duplicate of https://github.com/aspnet/Security/issues/1165.

TareqNewazShahriar commented 6 years ago

@Tratcher Just read the mentioned issue. Used the OnRemoteFailure event to handle the exception gracefully and to redirect to the login page.

At least it worked. So I have to handle it for all the external logins, for now.

So... what will i do with this issue? Will I close it?

Tratcher commented 6 years ago

Yes, please close it if all of your scenarios are covered by the other issue.