當用戶的 AD 身份驗證失敗時如何導航到自定義訪問被拒絕頁面（使用 OpenIDConnect Azure AD 身份驗證的 .net 3.1 核心）

Question

我有一個 .Net 核心 3.1 Web 應用程序，我通過在 Azure 中設置應用服務注冊並分配用戶來實現 AD 身份驗證。 現在，當未經授權的用戶嘗試訪問應用程序時，AD 身份驗證失敗並轉到 OPENIDConnect 異常頁面。 但我所需要的只是將用戶導航到我的應用程序中的自定義頁面 AccessDenied 頁面。

預期：當用戶未通過身份驗證時。 他應該導航到 /Home/AccessDeined Page。

實際：異常頁面： Signin-Oidc 異常頁面

啟動文件

    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;                 
        });

       

        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

        services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
        {
            options.Authority = options.Authority + "/v2.0/";
            options.TokenValidationParameters.ValidateIssuer = false;
            //options.AccessDeniedPath = new PathString("/Home/AccessDenied");
            options.ResponseType = "id_token code";
            options.Events.OnAuthenticationFailed = context =>
            {

                context.Response.Redirect("/Home/AccessDenied");
                context.HandleResponse();

                return Task.FromResult(0);
            };                
        });

        services.AddControllersWithViews();
        services.AddHttpClient();


        services.AddSession();
        //services.Configure<CookieTempDataProviderOptions>(options =>
        //{
        //    options.Cookie.IsEssential = true;
        //});

        services.AddMvc(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                            .RequireAuthenticatedUser()
                            .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        });           

        services.AddLogging();
        services.AddProgressiveWebApp();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }
        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy();
        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();
        app.UseSession();
        app.UseEndpoints(endpoints =>
        {
            endpoints.MapRazorPages();
            endpoints.MapControllers();
           

            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
        });
    }

Appsettings.Json

"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "XXXXXXXXX",
"TenantId": "XXXXXXXXXXXXXXXXXXXXX",
"ClientId": "XXXXXXXXXXXXXXXXXXXXXX",
"ClientSecret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"CallbackPath": "/signin-oidc"

},

家庭控制器.cs

[AllowAnonymous]
    public IActionResult AccessDenied()
    {
        return View();
    }

Answer 1

在Startups.cs CookieAuthenticationOptions 上指定路徑將起作用。 請使用以下代碼並在 PathString 中定義您的路徑

services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options => {
    options.AccessDeniedPath = new PathString("/Home/CustomAccessDenied");
});