1

Understanding

Today I was reading about 401 vs 403 Status Codes. I came across an interesting post on SO which can be seen here.

As per post, my understanding is

  1. 401 - Authentication failed.
  2. 403 - Authorization failed.

Use Case

In .Net Core Web API, I used UnauthorizedResult in one of the custom filter (I know filters are not preferred way to go for authorization checks but that is a separate discussion altogether). This ActionResult do return 401 Status Code however I expected it to return 403 as per above mentioned post as it is Authorization failure and not Authentication. Interface used is also IAuthorizationFilter.

Question

Should not UnauthorizedResult return 403 instead of 401? Am I missing something on above understanding?

Side Note

To solve the problem, I used StatusCodes.Status403Forbidden to return 403.

Sandy
  • 11,332
  • 27
  • 76
  • 122
  • 3
    It's a little confusing, but you can use [`ForbidResult`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.forbidresult?view=aspnetcore-2.2) for the `403`. – Kirk Larkin Jul 25 '19 at 16:50
  • I understand...the question is actually not about solving the problem...I already solved it. But about the expected behavior? BTW, did you meant my question is confusing? – Sandy Jul 25 '19 at 16:52
  • No, I meant Unauthorized vs Forbid etc can be a bit confusing. – Kirk Larkin Jul 25 '19 at 18:29
  • .NET got these backwards. UnauthorizedResult should be returning a 403, not a 401 - this is a logged in user that does not have rights to a resource. ForbidResult should be returning a 401, not a 403 - this is a not logged in user status code. – jjxtra Jul 26 '22 at 17:12

0 Answers0