拦截/停止经过身份验证的用户的ASP.NET Identity未经授权的重定向

Question

ASP.NET Identity issues a 302 Found response, redirecting to the Login page for all unauthorized requests, including authenticated requests with insufficient permissions. It's a confusing user experience to redirect an authenticated user to a login page.

How can I intercept/stop/cancel this redirect for authenticated users and issue a 403 Forbidden response (and therefore show my custom 403 page) instead? Unauthenticated users should continue to see the standard behavior.

I've tried adding a simple custom Owin Middleware before and after the CookieAuthenticationMiddleware but could not figure out how to identify an unauthorized request.

Answer 1

You need to have a custom Authentication Filter with similar code:

public abstract class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }
        //Intercept results where person is authetnicated but still doesn't have permissions
        if (filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Controller.TempData["ErrorMessage"] = "Sorry, you are logged in but you have attempted to access a page that you don't have permissions to.";

            //TODO need to set up a route that points to your custom page, call that route RestrictedAccess
            filterContext.Result = new RedirectToRouteResult("RestrictedAccess", new RouteValueDictionary());
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

And then instead of [Authorise] you need to apply [MyAuthorise] attribute to your controllers.