Redirect to URL instead of 401 for unauthenticated

Question

I am using ASP.Net 5 MVC 6 with JWT tokens that are created while the user is on another site which this site is a subdomain of. My goal is to pass the token along with the request to this subdomain. If a user happens to try to come to this subdomain url without the proper token in the header then I want to redirect them to the main site login page.

After much frustration with the newest RC-1 release and using JWT tokens with a SecureKey instead of certificates. I finally got my code working by using the RC-2 nightly build version. Now my problem is that I want to be able to redirect to an outside url in the case of unauthenticated users. Here is an example of my authentication code:

        var key = "mysupersecretkey=";
        var encodedkey2 = Convert.FromBase64String(key);
        app.UseJwtBearerAuthentication(options =>
        {
            options.AutomaticAuthenticate = true;
            options.AutomaticChallenge = true;
            options.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(encodedkey2);
            options.TokenValidationParameters.ValidIssuer = "https://tv.alsdkfalsdkf.com/xxx/yyy";
            options.TokenValidationParameters.ValidateIssuer = true;
            options.TokenValidationParameters.ValidAudience = "https://www.sdgfllfsdkgh.com/";
            options.TokenValidationParameters.ValidateAudience = true;
            options.Configuration = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration()
            {
                Issuer = "https://tv.sdfkaysdf.com/xxx/yyy"
            };
        });

now I see other examples which are using OpedId and they have it pretty easy , there is a parameter called RedirectUrl

 app.UseOpenIdConnectAuthentication(options => {
    ...
    options.RedirectUri = "https://localhost:44300";
    ...
 });

any idea how to set RedirectUrl when using JwtBearerAuthentication ???

Answer 1

There's no such property for a simple reason: the JWT bearer middleware (like the more generic OAuth2 middleware in Katana) has been designed for API authentication, not for interactive authentication. Trying to trigger a redirection in this case wouldn't make much sense for headless HTTP clients.

That said, it doesn't mean that you can't redirect your unauthenticated users at all , at some point. The best way to handle that is to catch the 401 response returned by the JWT middleware at the client level and redirect the user to the appropriate login page. In JS applications for instance, this is usually done using an HTTP interceptor .

If you're really convinced breaking the OAuth2 bearer specification is the right thing to do, you can do that using the OnChallenge notification:

app.UseJwtBearerAuthentication(options => {
    options.Events = new JwtBearerEvents {
        OnChallenge = context => {
            context.Response.Redirect("http://localhost:54540/login");
            context.HandleResponse();

            return Task.FromResult(0);
        }
    };
});