NuGet · shishirx34 · Feb 16, 2018 · Feb 15, 2018 · Feb 15, 2018 · Feb 15, 2018
@@ -3,8 +3,10 @@
 
 using System;
 using System.Security.Claims;
+using System.Threading.Tasks;
 using System.Web.Mvc;
 using Microsoft.IdentityModel.Protocols;
+using Microsoft.Owin.Security.Notifications;
 using Microsoft.Owin.Security.OpenIdConnect;
 using NuGetGallery.Configuration;
 using Owin;
@@ -33,6 +35,8 @@ public static class AuthenticationType
         public static readonly string V2CommonTenant = "common";
         public static readonly string Authority = "https://login.microsoftonline.com/{0}/v2.0";
 
+        private static readonly string ACCESS_DENIED = "access_denied";
+
         protected override void AttachToOwinApp(IGalleryConfigurationService config, IAppBuilder app)
         {
             // Fetch site root from configuration
@@ -52,13 +56,17 @@ protected override void AttachToOwinApp(IGalleryConfigurationService config, IAp
                 Scope = OpenIdConnectScopes.OpenIdProfile + " email",
                 ResponseType = OpenIdConnectResponseTypes.CodeIdToken,
                 TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters() { ValidateIssuer = false },
+                Notifications = new OpenIdConnectAuthenticationNotifications
+                {
+                    AuthenticationFailed = AuthenticationFailed
+                }
             };
 
             Config.ApplyToOwinSecurityOptions(options);
 
             app.UseOpenIdConnectAuthentication(options);
         }
-        
+
         public override AuthenticatorUI GetUI()
         {
             return new AuthenticatorUI(
@@ -136,5 +144,31 @@ public override IdentityInformation GetIdentityInformation(ClaimsIdentity claims
 
             return new IdentityInformation(identifier, nameClaim?.Value, emailClaim.Value, authenticationType, tenantId);
         }
+
+        // The OpenIdConnect.<AuthenticateCoreAsync> throws OpenIdConnectProtocolException upon denial of access permissions by the user, 
+        // this could result in an internal server error, catch this exception and continue to the controller where appropriate
+        // error handling is done.
+        private Task AuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
+        {
+            if (notification.Exception.Message == ACCESS_DENIED)
+            {
+                // For every 'Challenge' sent to the external providers, we store the 'State'
+                // with the redirect uri where we intend to return after successful authentication.
+                // Extract this "RedirectUri" property from this "State" object for redirecting on failed authentication as well.
+                var authenticationPropertiesEncodedString = notification
+                    .ProtocolMessage
+                    .State
+                    .Split('=');
+                var authenticationProperties = notification
+                    .Options
+                    .StateDataFormat
+                    .Unprotect(authenticationPropertiesEncodedString[1]);
+
+                notification.HandleResponse();
+                notification.Response.Redirect(authenticationProperties.RedirectUri);
 var properties = new AuthenticationProperties() { RedirectUri = RedirectUri }; 
 var properties = new AuthenticationProperties() { RedirectUri = RedirectUri }; 
+            }
+
+            return Task.FromResult(0);
+        }
     }
 }