Override error code on AuthorizationCodeProvider.Create

问题

This question is about the implementation of the Authorization Code flow using Owin in Asp.net Wep Api.

I was trying to handle some error that might happen on my AuthorizationCode code creation. Apparently I can't redirect my self to the Client Redirect URI with he correct error code which is "server_error"

The following is my code :

private static void CreateAuthorizationCode(AuthenticationTokenCreateContext context)
{
    try
    {
        //Some Code to create and save the AuthorizationCode that can throw an Exception
        context.SetToken(code);
    }
    catch (Exception ex)
    {
        logger.Fatal(ex);
        var redirectUri = GetRedirectUri();
        var redirectLocation = string.Format("{0}?code={1}", redirectUri, "server_error");
        context.Response.Redirect(redirectLocation);
    }
}

But I get redirected by the framework to the redirect Uri with https://redirecturi?error=unsupported_response_type !

Is this a normal behavior ? Or maybe there is any other way to handle those kind of scenario and set by myself the error code !?

PS : I created an issue in Github about that : https://github.com/aspnet/Security/issues/375 no answer so far !

Thank you.

回答1:

Is this a normal behavior ? Or maybe there is any other way to handle those kind of scenario that I'm missing?

Normal, I dunno. But expected, definitely: when using an IAuthenticationTokenProvider, you're not supposed to alter the HTTP response.

Why there is not way to set by myself the error using the AuthenticationTokenCreateContext object like context.SetError("my_error") ?

Unlike the ValidateAuthorizeRequest notification, it hasn't been designed to allow you to return an error.

Sadly, there's no way to return a server_error response from an IAuthenticationTokenProvider, since OAuthAuthorizationServerHandler will always use unsupported_response_type if you don't provide an authorization code: https://github.com/jchannon/katanaproject/blob/master/src/Microsoft.Owin.Security.OAuth/OAuthAuthorizationServerHandler.cs#L204

FYI, this is something we fixed recently in AspNet.Security.OpenIdConnect.Server (a fork of the OAuth2 authorization server shipped with Katana 3): https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/112#issuecomment-125040925. If your custom code returns a null authorization code, a server_error response will be automatically returned to the client application.

来源：https://stackoverflow.com/questions/31725791/override-error-code-on-authorizationcodeprovider-create