How to handle url redirect in dotnet core RRS feed

  • Question

  • User-1058270280 posted

    I have a web application that wants to do authentication on every http request. I am trying to build a custom middle ware to do this

    here is what I am looking to do

    1. a user makes a request to an end point in my application http://localhost:5000/api/get-------> 302 Response

    1. I generate a redirect to do authorization http://{domain}/authorize ----------> 200 response if successful

    2. I return 200 with results if authorization is success or 401 if not http://localhost:5000/api/get-------> 200 or 401 response

    in my middles ware I am calling httpContext.Response.Redirect("http://{domain}/authorize", false);

    which generates the redirect, but how can I go from there? 

    How can I capture the new httpContext which in that case the authorize call and how can I go back to the original context to return 200 after success?

    Wednesday, May 20, 2020 9:03 PM


All replies

  • User-474980206 posted

    That’s not how it works, websites are stateless.

    typically you redirect to the auth server passing a return url. Once there is a success login on the auth server, it redirects back to the return url with a login ticket. The original server (your localhost) verifies the ticket, creates its own authentication cookie and redirects back to the original url (which typically is passed as part of the return url). 

    Wednesday, May 20, 2020 11:14 PM
  • User-1058270280 posted

    Thanks for your reply.

    Just to understand your answer..... I should pass in ReturnUrl as part of /authorize call which reference the original request (http://localhost:5000/api/get)?

    I guess what I am trying to figure out is when I do a redirect how can I capture the response of this redirect call, How can I switch my HttpConext to the /authorize call?

    I am dotnet newbie so I don't know if I what I am doing is making sense but here is my middleware

    public async Task InvokeAsync(HttpContext context)

    var authQueryParams = new Dictionary<string, string>()
    {"client_id", "0oar5j15dcdfvfvfv" },
    {"state", "evauth" },
    {"redirect_uri","http://localhost:5000/signin-oidc" },
    {"scope", "openid groups profile email"},
    {"nonce", "evnonce"},
    {"response_type", "code"}


    string url = QueryHelpers.AddQueryString("https://{domain}.oktapreview.com/oauth2/auspx13uvj6eHSM9c0h7/v1/authorize", authQueryParams);
    if (!context.Request.Path.Equals("/"))

    await _next(context);

    in the Redirect call how can I capture the response of the /authorize call or at least capture it's request headers?

    Thursday, May 21, 2020 5:04 PM
  • User-474980206 posted

    you don't. its another request. normally the current path is stored in state under a key,  and a state key is passed to the auth server 

    browser requests: http://localhost:5000/api/get with no auth cookie
    server responds: save /api/get in state and redirects to  https://{domain}.oktapreview.com/oauth2/auspx13uvj6eHSM9c0h7/v1/authorize?nonce=<statekey>

    browser request redirect url
    auth server responds: login page
    browser post login form
    auth server redirects: http://localhost:5000/signin-oidc?nonce=<statekey>&id_token=<token>

    browser request auth server redirect
    server responds: now your middleware sees the /signin-oidc path & token, and validates token. if valid, set authentication cookie and redirects to path in state
    browser requests: localhost:5000/api/get with auth cookie

    note: typically state is stored in a cookie. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, May 21, 2020 5:39 PM