search

jitbit / AspNetSaml

Very simple SAML 2.0 consumer module for ASP.NET/C#
https://www.jitbit.com
Apache License 2.0
363 stars 117 forks source link

How to redirect if user not logged in? #89

Closed Xorboth closed 3 months ago

Xorboth commented 3 months ago

Hello, I love your library, I have one question though. I hope you can help me. I have an ASP.NET web app and I'd like to use this library, and was able to do it. However I can't figure out how to redirect the user to the IdP login page if the user is not logged in. What's troubling me is that without any automatic redirect, all the APIs are still callable from the user even when not logged in, and this is a security problem.

alex-jitbit commented 3 months ago

This is really outside of this library's scope, but

  1. To make controllers and APIs available to authenticated users only, use the [Authorize] attribute.

  2. To redirect all user to a login path use this

    services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
    //.,..
    options.LoginPath = "/User/Login";
    //...
}

This way all anonymous users will be redirected to /User/Login - and that's where you redirect them to IdP