0

(Don't be afraid of this big description, I just tried to be specific, so that it becomes easier for the answerers)

I'm building a web application using ASP.Net Core 2.1 having external login in it. But internal server error occurred when external (facebook) login is canceled and facebook redirects to the source application. That means, you clicked on Facebook external login button and then canceled it by clicking on "Not Now" button. Facebook redirects back to your application (https://localhost:port/signin-facebook?...); and then voila -- exception.

An unhandled exception occurred while processing the request. Exception: access_denied;Description=Permissions error Unknown location

Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()

enter image description here

When facebook authentication is getting prepared by the Asp.net Core system from Startup.cs class, 'https://.../signin-facebook' route will be generated automatically by the Facebook authentication provider, as described in the Microsoft docs and Github/aspnet:

If I hit "https://localhost:port/signin-facebook" directly without any query-string, it shows this exception: The OAuth state was missing or invalid. enter image description here

But expected behavior is - it will be redirected to the default login page.

Here's the startup.cs snippet:

services.ConfigureApplicationCookie(options => options.LoginPath = "/Account/LogIn");
services
    .AddAuthentication(o => o.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.LoginPath = "/Account/Login";
        options.LogoutPath = "/Account/Logout";
    });

services.AddAuthentication()
    .AddFacebook(o =>
    {   
        o.AppId = Configuration.GetValue<string>("Facebook:AppId");
        o.AppSecret = Configuration.GetValue<string>("Facebook:AppSecret");
    });

I configured a custom callbackpath (as descripted in microsoft doc), but same exception.

So..., what's going on? What was the problem? And what's the solution?

FYI, I'm not accessing DB from the application and using default IdentityDbContext with .UseModel() and cookie authentication using HttpContext.SigninAsync. Everything's fine when external login is completed instead of canceling.

TareqNewazShahriar
  • 71
  • 1
  • 9
  • I also [issued](https://github.com/aspnet/Security/issues/1824) the problem in asp.net core repo. They pointed to an already created issue. – TareqNewazShahriar Jul 21 '18 at 17:54

1 Answers1

3

According to the Asp.Net Core Github repo, Asp.net Core team is working on it now. Currently developers are using OnRemoteFailure event to handle the exception gracefully and performing the desired action.

Startup.cs:

services.AddAuthentication()
    .AddFacebook(o =>
    {   
        o.AppId = Configuration.GetValue<string>("Facebook:AppId");
        o.AppSecret = Configuration.GetValue<string>("Facebook:AppSecret");
        o.Events.OnRemoteFailure = (context) =>
        {
            context.Response.Redirect("/account/login");
            context.HandleResponse();
            return System.Threading.Tasks.Task.CompletedTask;
        };
    });
Saša Ćetković
  • 885
  • 9
  • 21
TareqNewazShahriar
  • 71
  • 1
  • 9