How to throw ForbiddenException in ASP.NET Core 2 Instead of using AccessDeniedPath

Question

I am working on an ASP.NET Core 2 web application. I am handling Access Denied page for [Authorize (roles OR policies)] pages.

By default, Instead of showing the original URL and returning 403 status, ASP.NET Core 2.0 redirects the request to an AccessDenied page with status is 302 -> This is not what I want.

Instead of redirecting AccessDenied page. I want ASP.NET Core throws my custom ForbiddenException exception so I can handle unauthorized accesses like I do for Unhandled exceptions.

Here is my authentication configuration:

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies       
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
})
.AddCookie(options => {

    options.LoginPath = "/Auth/Login/";
    options.LogoutPath = "/Auth/Logout/";

    // I want disable this and throw ForbiddenException instead.
    options.AccessDeniedPath = "/Auth/AccessDenied/";  
});

Anyone has any help? Thank you!

Answer 1

The code for redirecting to AccessDeniedPath is handled by CookieAuthenticationEvents.OnRedirectToAccessDenied, included here for completeness:

public Func<RedirectContext<CookieAuthenticationOptions>, Task> OnRedirectToAccessDenied { get; set; } = context =>
{
    if (IsAjaxRequest(context.Request))
    {
        context.Response.Headers["Location"] = context.RedirectUri;
        context.Response.StatusCode = 403;
    }
    else
    {
        context.Response.Redirect(context.RedirectUri);
    }
    return Task.CompletedTask;
};

In order to override this behavior, you can provide your own implementation of OnRedirectToAccessDenied, that can either write to the response or, in your case, throw an exception. To do that, you can use something like the following:

services.AddAuthentication(...)
    .AddCookie(options => {
        // ...
        options.Events.OnRedirectToAccessDenied = context => {
            // Your code here.
            // e.g.
            throw new YouAreNotWelcomeHereException();
        };
    });

Here, context is an instance of RedirectContext, which (through its inheritance tree), contains properties such as:

• HttpContext
• Request
• Response
• Properties (type: AuthenticationProperties)

Using these properties, you can obtain any information you need about the incoming request. You can also write your own response, etc.