5

I'm developing an Asp.Net Core application. I'm using built-in Identity for login, roles, authorization and authentication. I'm developing/testing/debugging with IIS Express on a Windows machine. When I'm logged in as a non-admin user and try to navigate to a url that only admins have access to (Authorize attribute on the whole controller), the application redirects to an access denied URL, but then I get an error message saying that the url query string is too long. Upon inspecting the url, it appears to have repeated sections. I'll try to paste it below. Should I report this as a bug, or can I change a setting to prevent it?

https://localhost:44383/Account/AccessDenied?ReturnUrl=%2FAccount%2FAccessDenied%3FReturnUrl%3D%252FAccount%252FAccessDenied%253FReturnUrl%253D%25252FAccount%25252FAccessDenied%25253FReturnUrl%25253D%2525252FAccount%2525252FAccessDenied%2525253FReturnUrl%2525253D%252525252FAccount%252525252FAccessDenied%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FAccessDenied%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FAccessDenied%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FAccessDenied%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FAccessDenied%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FAccessDenied%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FAccessDenied%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FAccessDenied%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FAccessDenied%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FAccessDenied%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FAccessDenied%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FAccessDenied%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FAccessDenied%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FAccessDenied%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAdmin%2525252525252525252525252525252525252FEditUser%2525252525252525252525252525252525252Ff61bbba3-42b5-4831-8ff1-4d92e42d5d99
Matthew Bishop
  • 83
  • 1
  • 6
  • Okay looks like I need to set the redirect url in the startup middleware. https://stackoverflow.com/a/38266682/4679704 – Matthew Bishop Feb 11 '18 at 10:41
  • check this also [ASP.Net Core maxUrlLength](https://stackoverflow.com/questions/39048189/asp-net-core-maxurllengt) – Set Feb 11 '18 at 10:42
  • You have an endless redirect loop in here. Your page redirects to acceed deined and then again and again and again. You can see the ReturlUrl replicating multiple times until its too big and fails with the error message – Tseng Feb 11 '18 at 11:45
  • Maybe your `Account/AccessDenied` Seems like /Account/AccessDenied requires an logged in user. Are you logged in when the redirect happens? Do you by chance have two different authentications for front end and admin panel? (using different Authentication Schemes)? Posting your identity configuration may help – Tseng Feb 11 '18 at 11:53
  • 1
    The redirect just indicates that the currently logged user has no access to /Account/AccessDenied. The default template has no restrictions other than `[Authorize]` on the Account controller (which means: Any logged in user – Tseng Feb 11 '18 at 11:54
  • Thanks @Tseng. Yes, I changed the default `[Authorize]` to `[Authorize(Roles = "Administrator")]` on the AccountController because I only wanted admins to create new accounts for users. I later made another controller for that purpose and forgot to go back and change the attribute on AccountController back to default on. I've now changed it back, tested and working as expected. Thank you. – Matthew Bishop Feb 11 '18 at 20:16

1 Answers1

6

The url you received you have an endless redirection loop, where each loops adds the url again and pass to itself.

In the default ASP.NET Core Identity templates, the AccountController is attributed with [Authorize] attribute, meaning any logged in user can access it.

The fact that you get redirected when trying to access /Account/AccessDenied route/action means the logged in use doesn't have the permission to access it.

This can happen when you use a different authentication scheme [Authorize(Scheme = "SomethingElse")] or as in your case (from your last comment) when a special group is required [Authorize(Roles = "Something")].

Even if you have some valid reason to change it on controller level, you should be able to set

[HttpGet]
[Authorize]
public IActionResult AccessDenied(string returnUrl) { ... }

To make an exception to it or use 

[HttpGet]
[AllowAnonymous]
public IActionResult AccessDenied(string returnUrl) { ... }

which will allow any user to access it.

Tseng
  • 61,549
  • 15
  • 193
  • 205