Skip to content

Break authentication loop update #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Break authentication loop update #193

wants to merge 4 commits into from

Conversation

guardrex
Copy link
Contributor

Fixes #192

Stephen ... I'd like to break the authentication loop that occurs when one signs out from a secure page. As it stands, the user is redirected back only to get ensnared in an authentication request again. This reflection-based approach changes the redirect to the home page to avoid the problem, but I'm not sure if I've created another stinky 💩 🦖 RexHaq™ 🙈 here.

@guardrex guardrex requested a review from halter73 February 14, 2024 14:30
@halter73
Copy link
Member

halter73 commented Feb 15, 2024
edited
Loading

I think keeping the current URL could be useful if you're switching accounts and you want to login as a different user but stay on the same page. Manually entering the homepage URL doesn't seem so bad if for some reason you want to you view a site as an unauthenticated user after logging out rather than log back in.

If we really think the logout authentication loop is that bad, I would rather we always redirect to the home page after logout. That still might not fix things if the home page requires authentication, but at least that's not the case for this sample. And it doesn't require resorting to reflection which doesn't address the home page requiring authentication either.

I don't think the reflection approach works as soon as the template is a parameterized route (e.g. "/myauthendpoint/{id}" while the current URL is "myauthendpoint/1"). What you really want is something like this:

var endpoint = httpContext.GetEndpoint();
// [Authorize] implements IAuthorizeData
var requiresAuthorization = endpoint?.Metadata.GetMetadata<IAuthorizeData>() is not null;

The problem is we don't have access to the HttpContext on the client. If @SteveSandersonMS @javiercn @MackinnonBuck or someone else knows of a clean way to detect whether you're on a page that requires authorization on both the server and client, the behavior of your going for here might be a little nicer. But for now, I'd either leave it as is, or always redirect to the home page on logout.

@guardrex
Copy link
Contributor Author

Ok ... cool ... let's leave the app alone, BUT I'll add a short section on this subject to the article. That section will merely explain that the user signing out from a secure page will be returned to sign back in and indicate how to set the redirect to the home page if the dev wants to adopt that behavior.

BTW tho for ...

a parameterized route (e.g. "/myauthendpoint/{id}"

I see what you mean. I wonder if a little work with the d.Template match to currentUrl couldn't deal with that and have this 🦖 hacky reflection approach 💩🙈 work for server and client components. I'm NOT suggesting that it should be placed into the sample or article. I'm just wondering out loud if that's possible.

I'll take this matter up with a doc repo issue.

@guardrex guardrex closed this Feb 15, 2024
@guardrex guardrex mentioned this pull request Feb 15, 2024
Closed
@guardrex guardrex deleted the guardrex/rexhaqs-for-auth-loop branch February 15, 2024 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@halter73 halter73 Awaiting requested review from halter73

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add 🦖 RexHaqs code for redirect to authorized endpoint of app

2 participants

@guardrex @halter73