Add AccessDeniedPath support to the OIDC/OAuth2/Twitter providers (#1887)

* Add AccessDeniedPath support to the OIDC/OAuth2/Twitter providers

* Update the code documentation and remove an unnecessary call to SignOutAsync()

* Introduce a new AccessDenied event and move most of the access denied handling logic to RemoteAuthenticationHandler

* Add ReturnUrlParameter support to RemoteAuthenticationHandler

* Remove AccessDeniedException and introduce RemoteAuthenticationHandler.HandleAccessDeniedErrorAsync()

* Use OriginalPath instead of Request.Path

* Update obsolete code comments

* Add unit tests for the new AccessDenied event

* Allow customizing the access denied path/return URL/return URL parameter from the AccessDenied event

Author: kevinchalet

samples/OpenIdConnectSample/Startup.cs

@@ -63,6 +63,7 @@ public void ConfigureServices(IServiceCollection services)
                 o.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                 o.SaveTokens = true;
                 o.GetClaimsFromUserInfoEndpoint = true;
+                o.AccessDeniedPath = "/access-denied-from-remote";
 
                 o.ClaimActions.MapAllExcept("aud", "iss", "iat", "nbf", "exp", "aio", "c_hash", "uti", "nonce");
 
@@ -126,6 +127,16 @@ await WriteHtmlAsync(response, async res =>
                     return;
                 }
 
+                if (context.Request.Path.Equals("/access-denied-from-remote"))
+                {
+                    await WriteHtmlAsync(response, async res =>
+                    {
+                        await res.WriteAsync($"<h1>Access Denied error received from the remote authorization server</h1>");
+                        await res.WriteAsync("<a class=\"btn btn-default\" href=\"/\">Home</a>");
+                    });
+                    return;
+                }
+
                 if (context.Request.Path.Equals("/Account/AccessDenied"))
                 {
                     await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs

@@ -422,7 +422,7 @@ protected override async Task HandleForbiddenAsync(AuthenticationProperties prop
             var returnUrl = properties.RedirectUri;
             if (string.IsNullOrEmpty(returnUrl))
             {
-                returnUrl = OriginalPathBase + Request.Path + Request.QueryString;
+                returnUrl = OriginalPathBase + OriginalPath + Request.QueryString;
             }
             var accessDeniedUri = Options.AccessDeniedPath + QueryString.Create(Options.ReturnUrlParameter, returnUrl);
             var redirectContext = new RedirectContext<CookieAuthenticationOptions>(Context, Scheme, Options, properties, BuildRedirectUri(accessDeniedUri));
@@ -434,7 +434,7 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
             var redirectUri = properties.RedirectUri;
             if (string.IsNullOrEmpty(redirectUri))
             {
-                redirectUri = OriginalPathBase + Request.Path + Request.QueryString;
+                redirectUri = OriginalPathBase + OriginalPath + Request.QueryString;
             }
 
             var loginUri = Options.LoginPath + QueryString.Create(Options.ReturnUrlParameter, redirectUri);

src/Microsoft.AspNetCore.Authentication.OAuth/OAuthHandler.cs

@@ -63,6 +63,16 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
             var error = query["error"];
             if (!StringValues.IsNullOrEmpty(error))
             {
+                // Note: access_denied errors are special protocol errors indicating the user didn't
+                // approve the authorization demand requested by the remote authorization server.
+                // Since it's a frequent scenario (that is not caused by incorrect configuration),
+                // denied errors are handled differently using HandleAccessDeniedErrorAsync().
+                // Visit https://tools.ietf.org/html/rfc6749#section-4.1.2.1 for more information.
+                if (StringValues.Equals(error, "access_denied"))
+                {
+                    return await HandleAccessDeniedErrorAsync(properties);
+                }
+
                 var failureMessage = new StringBuilder();
                 failureMessage.Append(error);
                 var errorDescription = query["error_description"];
@@ -194,7 +204,7 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
         {
             if (string.IsNullOrEmpty(properties.RedirectUri))
             {
-                properties.RedirectUri = CurrentUri;
+                properties.RedirectUri = OriginalPathBase + OriginalPath + Request.QueryString;
             }
 
             // OAuth2 10.12 CSRF

src/Microsoft.AspNetCore.Authentication.OAuth/OAuthOptions.cs

@@ -3,11 +3,9 @@
 
 using System;
 using System.Collections.Generic;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.OAuth;
-using Microsoft.AspNetCore.Authentication.OAuth.Claims;
-using Microsoft.AspNetCore.Http.Authentication;
 using System.Globalization;
+using Microsoft.AspNetCore.Authentication.OAuth.Claims;
+using Microsoft.AspNetCore.Http;
 
 namespace Microsoft.AspNetCore.Authentication.OAuth
 {

src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

@@ -186,7 +186,7 @@ public async virtual Task SignOutAsync(AuthenticationProperties properties)
                 properties.RedirectUri = BuildRedirectUriIfRelative(Options.SignedOutRedirectUri);
                 if (string.IsNullOrWhiteSpace(properties.RedirectUri))
                 {
-                    properties.RedirectUri = CurrentUri;
+                    properties.RedirectUri = OriginalPathBase + OriginalPath + Request.QueryString;
                 }
             }
             Logger.PostSignOutRedirect(properties.RedirectUri);
@@ -312,7 +312,7 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
             // 2. CurrentUri if RedirectUri is not set)
             if (string.IsNullOrEmpty(properties.RedirectUri))
             {
-                properties.RedirectUri = CurrentUri;
+                properties.RedirectUri = OriginalPathBase + OriginalPath + Request.QueryString;
             }
             Logger.PostAuthenticationLocalRedirect(properties.RedirectUri);
 
@@ -520,6 +520,16 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                 // if any of the error fields are set, throw error null
                 if (!string.IsNullOrEmpty(authorizationResponse.Error))
                 {
+                    // Note: access_denied errors are special protocol errors indicating the user didn't
+                    // approve the authorization demand requested by the remote authorization server.
+                    // Since it's a frequent scenario (that is not caused by incorrect configuration),
+                    // denied errors are handled differently using HandleAccessDeniedErrorAsync().
+                    // Visit https://tools.ietf.org/html/rfc6749#section-4.1.2.1 for more information.
+                    if (string.Equals(authorizationResponse.Error, "access_denied", StringComparison.Ordinal))
+                    {
+                        return await HandleAccessDeniedErrorAsync(properties);
+                    }
+
                     return HandleRequestResult.Fail(CreateOpenIdConnectProtocolException(authorizationResponse, response: null), properties);
                 }
 

src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs

@@ -55,12 +55,14 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
 
             var properties = requestToken.Properties;
 
-            // REVIEW: see which of these are really errors
-
             var denied = query["denied"];
             if (!StringValues.IsNullOrEmpty(denied))
             {
-                return HandleRequestResult.Fail("The user denied permissions.", properties);
+                // Note: denied errors are special protocol errors indicating the user didn't
+                // approve the authorization demand requested by the remote authorization server.
+                // Since it's a frequent scenario (that is not caused by incorrect configuration),
+                // denied errors are handled differently using HandleAccessDeniedErrorAsync().
+                return await HandleAccessDeniedErrorAsync(properties);
             }
 
             var returnedToken = query["oauth_token"];
@@ -130,7 +132,7 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
         {
             if (string.IsNullOrEmpty(properties.RedirectUri))
             {
-                properties.RedirectUri = CurrentUri;
+                properties.RedirectUri = OriginalPathBase + OriginalPath + Request.QueryString;
             }
 
             // If CallbackConfirmed is false, this will throw

src/Microsoft.AspNetCore.Authentication.Twitter/TwitterOptions.cs

@@ -2,8 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Claims;
 using System.Globalization;
+using System.Security.Claims;
 using Microsoft.AspNetCore.Authentication.OAuth.Claims;
 using Microsoft.AspNetCore.Http;
 

src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationHandler.cs

@@ -83,7 +83,7 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
             // Save the original challenge URI so we can redirect back to it when we're done.
             if (string.IsNullOrEmpty(properties.RedirectUri))
             {
-                properties.RedirectUri = CurrentUri;
+                properties.RedirectUri = OriginalPathBase + OriginalPath + Request.QueryString;
             }
 
             var wsFederationMessage = new WsFederationMessage()

src/Microsoft.AspNetCore.Authentication/Events/AccessDeniedContext.cs

@@ -0,0 +1,44 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.Authentication
+{
+    /// <summary>
+    /// Provides access denied failure context information to handler providers.
+    /// </summary>
+    public class AccessDeniedContext : HandleRequestContext<RemoteAuthenticationOptions>
+    {
+        public AccessDeniedContext(
+            HttpContext context,
+            AuthenticationScheme scheme,
+            RemoteAuthenticationOptions options)
+            : base(context, scheme, options)
+        {
+        }
+
+        /// <summary>
+        /// Gets or sets the endpoint path the user agent will be redirected to.
+        /// By default, this property is set to <see cref="RemoteAuthenticationOptions.AccessDeniedPath"/>.
+        /// </summary>
+        public PathString AccessDeniedPath { get; set; }
+
+        /// <summary>
+        /// Additional state values for the authentication session.
+        /// </summary>
+        public AuthenticationProperties Properties { get; set; }
+
+        /// <summary>
+        /// Gets or sets the return URL that will be flowed up to the access denied page.
+        /// If <see cref="ReturnUrlParameter"/> is not set, this property is not used.
+        /// </summary>
+        public string ReturnUrl { get; set; }
+
+        /// <summary>
+        /// Gets or sets the parameter name that will be used to flow the return URL.
+        /// By default, this property is set to <see cref="RemoteAuthenticationOptions.ReturnUrlParameter"/>.
+        /// </summary>
+        public string ReturnUrlParameter { get; set; }
+    }
+}

src/Microsoft.AspNetCore.Authentication/Events/RemoteAuthenticationEvents.cs

@@ -8,12 +8,18 @@ namespace Microsoft.AspNetCore.Authentication
 {
     public class RemoteAuthenticationEvents
     {
+        public Func<AccessDeniedContext, Task> OnAccessDenied { get; set; } = context => Task.CompletedTask;
         public Func<RemoteFailureContext, Task> OnRemoteFailure { get; set; } = context => Task.CompletedTask;
 
         public Func<TicketReceivedContext, Task> OnTicketReceived { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
-        /// Invoked when there is a remote failure
+        /// Invoked when an access denied error was returned by the remote server.
+        /// </summary>
+        public virtual Task AccessDenied(AccessDeniedContext context) => OnAccessDenied(context);
+
+        /// <summary>
+        /// Invoked when there is a remote failure.
         /// </summary>
         public virtual Task RemoteFailure(RemoteFailureContext context) => OnRemoteFailure(context);
 

src/Microsoft.AspNetCore.Authentication/LoggingExtensions.cs

@@ -7,17 +7,20 @@ namespace Microsoft.Extensions.Logging
 {
     internal static class LoggingExtensions
     {
-        private static Action<ILogger, string, Exception> _authSchemeAuthenticated;
-        private static Action<ILogger, string, Exception> _authSchemeNotAuthenticated;
-        private static Action<ILogger, string, string, Exception> _authSchemeNotAuthenticatedWithFailure;
-        private static Action<ILogger, string, Exception> _authSchemeChallenged;
-        private static Action<ILogger, string, Exception> _authSchemeForbidden;
-        private static Action<ILogger, string, Exception> _remoteAuthenticationError;
-        private static Action<ILogger, Exception> _signInHandled;
-        private static Action<ILogger, Exception> _signInSkipped;
-        private static Action<ILogger, string, Exception> _correlationPropertyNotFound;
-        private static Action<ILogger, string, Exception> _correlationCookieNotFound;
-        private static Action<ILogger, string, string, Exception> _unexpectedCorrelationCookieValue;
+        private static readonly Action<ILogger, string, Exception> _authSchemeAuthenticated;
+        private static readonly Action<ILogger, string, Exception> _authSchemeNotAuthenticated;
+        private static readonly Action<ILogger, string, string, Exception> _authSchemeNotAuthenticatedWithFailure;
+        private static readonly Action<ILogger, string, Exception> _authSchemeChallenged;
+        private static readonly Action<ILogger, string, Exception> _authSchemeForbidden;
+        private static readonly Action<ILogger, string, Exception> _remoteAuthenticationError;
+        private static readonly Action<ILogger, Exception> _signInHandled;
+        private static readonly Action<ILogger, Exception> _signInSkipped;
+        private static readonly Action<ILogger, string, Exception> _correlationPropertyNotFound;
+        private static readonly Action<ILogger, string, Exception> _correlationCookieNotFound;
+        private static readonly Action<ILogger, string, string, Exception> _unexpectedCorrelationCookieValue;
+        private static readonly Action<ILogger, Exception> _accessDeniedError;
+        private static readonly Action<ILogger, Exception> _accessDeniedContextHandled;
+        private static readonly Action<ILogger, Exception> _accessDeniedContextSkipped;
 
         static LoggingExtensions()
         {
@@ -65,6 +68,18 @@ static LoggingExtensions()
                eventId: 16,
                logLevel: LogLevel.Warning,
                formatString: "The correlation cookie value '{CorrelationCookieName}' did not match the expected value '{CorrelationCookieValue}'.");
+            _accessDeniedError = LoggerMessage.Define(
+                eventId: 17,
+                logLevel: LogLevel.Information,
+                formatString: "Access was denied by the resource owner or by the remote server.");
+            _accessDeniedContextHandled = LoggerMessage.Define(
+                eventId: 18,
+                logLevel: LogLevel.Debug,
+                formatString: "The AccessDenied event returned Handled.");
+            _accessDeniedContextSkipped = LoggerMessage.Define(
+                eventId: 19,
+                logLevel: LogLevel.Debug,
+                formatString: "The AccessDenied event returned Skipped.");
         }
 
         public static void AuthenticationSchemeAuthenticated(this ILogger logger, string authenticationScheme)
@@ -121,5 +136,20 @@ public static void UnexpectedCorrelationCookieValue(this ILogger logger, string
         {
             _unexpectedCorrelationCookieValue(logger, cookieName, cookieValue, null);
         }
+
+        public static void AccessDeniedError(this ILogger logger)
+        {
+            _accessDeniedError(logger, null);
+        }
+
+        public static void AccessDeniedContextHandled(this ILogger logger)
+        {
+            _accessDeniedContextHandled(logger, null);
+        }
+
+        public static void AccessDeniedContextSkipped(this ILogger logger)
+        {
+            _accessDeniedContextSkipped(logger, null);
+        }
     }
 }

src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs

@@ -5,6 +5,7 @@
 using System.Security.Cryptography;
 using System.Text.Encodings.Web;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
@@ -241,5 +242,48 @@ protected virtual bool ValidateCorrelationId(AuthenticationProperties properties
 
             return true;
         }
+
+        protected virtual async Task<HandleRequestResult> HandleAccessDeniedErrorAsync(AuthenticationProperties properties)
+        {
+            Logger.AccessDeniedError();
+            var context = new AccessDeniedContext(Context, Scheme, Options)
+            {
+                AccessDeniedPath = Options.AccessDeniedPath,
+                Properties = properties,
+                ReturnUrl = properties?.RedirectUri,
+                ReturnUrlParameter = Options.ReturnUrlParameter
+            };
+            await Events.AccessDenied(context);
+
+            if (context.Result != null)
+            {
+                if (context.Result.Handled)
+                {
+                    Logger.AccessDeniedContextHandled();
+                }
+                else if (context.Result.Skipped)
+                {
+                    Logger.AccessDeniedContextSkipped();
+                }
+
+                return context.Result;
+            }
+
+            // If an access denied endpoint was specified, redirect the user agent.
+            // Otherwise, invoke the RemoteFailure event for further processing.
+            if (context.AccessDeniedPath.HasValue)
+            {
+                string uri = context.AccessDeniedPath;
+                if (!string.IsNullOrEmpty(context.ReturnUrlParameter) && !string.IsNullOrEmpty(context.ReturnUrl))
+                {
+                    uri = QueryHelpers.AddQueryString(uri, context.ReturnUrlParameter, context.ReturnUrl);
+                }
+                Response.Redirect(uri);
+
+                return HandleRequestResult.Handle();
+            }
+
+            return HandleRequestResult.Fail("Access was denied by the resource owner or by the remote server.", properties);
+        }
     }
 }

src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationOptions.cs

@@ -89,6 +89,22 @@ public override void Validate()
         /// </summary>
         public PathString CallbackPath { get; set; }
 
+        /// <summary>
+        /// Gets or sets the optional path the user agent is redirected to if the user
+        /// doesn't approve the authorization demand requested by the remote server.
+        /// This property is not set by default. In this case, an exception is thrown
+        /// if an access_denied response is returned by the remote authorization server.
+        /// </summary>
+        public PathString AccessDeniedPath { get; set; }
+
+        /// <summary>
+        /// Gets or sets the name of the parameter used to convey the original location
+        /// of the user before the remote challenge was triggered up to the access denied page.
+        /// This property is only used when the <see cref="AccessDeniedPath"/> is explicitly specified.
+        /// </summary>
+        // Note: this deliberately matches the default parameter name used by the cookie handler.
+        public string ReturnUrlParameter { get; set; } = "ReturnUrl";
+
         /// <summary>
         /// Gets or sets the authentication scheme corresponding to the middleware
         /// responsible of persisting user's identity after a successful authentication.