Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BugBash] MSA - Add exception handler for access denied #5485

Merged
merged 5 commits into from
Feb 16, 2018
Merged

[BugBash] MSA - Add exception handler for access denied #5485

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f2c65dd
Add exception handler
shishirx34 Feb 15, 2018
fa800d6
Merge remote-tracking branch 'origin/dev' into fix-500
shishirx34 Feb 15, 2018
ba2461f
Merge remote-tracking branch 'origin/dev' into fix-500
shishirx34 Feb 15, 2018
355d00b
Simplify redirection
shishirx34 Feb 15, 2018
e3bfb54
Merge remote-tracking branch 'origin/dev' into fix-500
shishirx34 Feb 15, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion ...ry/Authentication/Providers/AzureActiveDirectoryV2/AzureActiveDirectoryV2Authenticator.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@

using System;
using System.Security.Claims;
using System.Threading.Tasks;
using System.Web.Mvc;
using Microsoft.IdentityModel.Protocols;
using Microsoft.Owin.Security.Notifications;
using Microsoft.Owin.Security.OpenIdConnect;
using NuGetGallery.Configuration;
using Owin;
Expand Down Expand Up @@ -33,6 +35,9 @@ public static class AuthenticationType
public static readonly string V2CommonTenant = "common";
public static readonly string Authority = "https://login.microsoftonline.com/{0}/v2.0";

private string redirectUrl;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

authenticator instance is per request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah! good catch, it is a SingleInstance. this won't work.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we ignore the redirectUrl in the error case, and just redirect to home with the info message?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found another way. This is cleaner.

private static readonly string ACCESS_DENIED = "access_denied";

protected override void AttachToOwinApp(IGalleryConfigurationService config, IAppBuilder app)
{
// Fetch site root from configuration
Expand All @@ -52,13 +57,17 @@ protected override void AttachToOwinApp(IGalleryConfigurationService config, IAp
Scope = OpenIdConnectScopes.OpenIdProfile + " email",
ResponseType = OpenIdConnectResponseTypes.CodeIdToken,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters() { ValidateIssuer = false },
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed
}
};

Config.ApplyToOwinSecurityOptions(options);

app.UseOpenIdConnectAuthentication(options);
}

public override AuthenticatorUI GetUI()
{
return new AuthenticatorUI(
Expand All @@ -73,6 +82,7 @@ public override AuthenticatorUI GetUI()

public override ActionResult Challenge(string redirectUrl)
{
this.redirectUrl = redirectUrl;
return new ChallengeResult(BaseConfig.AuthenticationType, redirectUrl);
}

Expand Down Expand Up @@ -136,5 +146,19 @@ public override IdentityInformation GetIdentityInformation(ClaimsIdentity claims

return new IdentityInformation(identifier, nameClaim?.Value, emailClaim.Value, authenticationType, tenantId);
}

// The OpenIdConnect.<AuthenticateCoreAsync> throws OpenIdConnectProtocolException upon denial of access permissions by the user,
// this could result in an internal server error, catch this exception and continue to the controller where appropriate
// error handling is done.
private Task AuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
if (notification.Exception.Message == ACCESS_DENIED)
{
notification.HandleResponse();
notification.Response.Redirect(redirectUrl);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For confirm transform by the org admin, it makes sense to redirect so the user sees the transform failed error page if the AAD linking failed or was cancelled.

For UIAuthorize actions that don't support deprecated password auth, will the user still see the info message if the UIAuthorize redirects them to the homepage for the link/transform prompt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will only be shown once when the permission was denied to access permissions, consumed from cookie and is removed so won't repeat upon further UIAuthorize redirects.

}

return Task.FromResult(0);
}
}
}