Asp.net为web-api解雇重定向的核心授权

Question

I try to get started with asp.net core web application with SPA. I have built everything by the tutorials. So I setup authorization like that:

            app.UseIdentity()
            .UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationScheme = "MyCookieMiddlewareInstance",
                AutomaticAuthenticate = true,
                AutomaticChallenge = true
            });

And I have web-api controller:

[Route("Somewhere")]
[Produces("application/json")]
[Authorize()]
public class MyControllerController : Controller
{
    [HttpGet]
    public async Task<IEnumerable<Something>> GetSomething()
    {
       //....
    }
}

And authorization functionality:

    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> Login(LoginViewModel model)
    {
        //...
        var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe);
        if (result.Succeeded)
        {
            _logger.LogInformation(1, "User logged in.");
            return Redirect("somewhere");
        }
        //...
    }

But when I call my webapi endpoint in JS, I receive redirect to login page instead of 401 status.

I have started to investigate and found answer on stackoverflow that I have to set false to AutomaticChallenge and remove .UseIdentity() . But when I do it my [POST]AccountController.Login method stop working on line - var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe); with exception - No authentication handler is configured to handle the scheme: Identity.Application .

I want to receive redirect in my MVC controllers, but receive 401/403 when from Webapi endpoints in case of no authorization. How to achieve different behavior from AuthorizeAttribute for MVC and WebApi controllers? Thanks for any advance.

Answer 1

Michał Dymel wrote a blog post about that: https://devblog.dymel.pl/2016/07/07/return-401-unauthorized-from-asp-net-core-api/

Instead of setting AutomaticChallenge to false , he uses the IdentityOptions to intercept the redirect to the login view and reject it when the request URL starts with an "/api/" segment. To achieve this, you should modify your Startup.ConfigureServices method as follows:

services.AddIdentity<User, Role>(identityOptions =>
    {
        identityOptions.Cookies.ApplicationCookie.Events =
            new CookieAuthenticationEvents
            {
                OnRedirectToLogin = context =>
                                    {
                                        if (context.Request.Path.StartsWithSegments("/api") &&
                                            context.Response.StatusCode == (int) HttpStatusCode.OK)
                                            context.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
                                        else
                                            context.Response.Redirect(context.RedirectUri);

                                        return Task.CompletedTask;
                                    }
            };
    });