Rovdjuret Rovdjuret - 1 month ago 48
C# Question

App redirects to Account/AccessDenied on adding Oauth

I've stumbled upon an issue where inconsistently the application redirects the user to

Account/AccessDenied/
upon adding a social media authentication to the current logged in user. It seems to work the first time the user is logged in, then by trying to add another authentication method it returns the user to
Account/AccessDenied?ReturnUrl=%2Fmanage%2Flinklogincallback
.

My guess is that something is going wrong with the [Authorize] attribute, but only the second time I try adding external authentication method.

ManageController

[Authorize]
public class ManageController : Controller
{
//
// POST: /Manage/LinkLogin
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult LinkLogin(string provider)
{
// Request a redirect to the external login provider to link a login for the current user
var redirectUrl = Url.Action("LinkLoginCallback", "Manage");
var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl, _userManager.GetUserId(User));
return Challenge(properties, provider);
}

//
// GET: /Manage/LinkLoginCallback
[HttpGet]
public async Task<ActionResult> LinkLoginCallback()
{
var user = await GetCurrentUserAsync();
if (user == null)
{
return View("Error");
}
var info = await _signInManager.GetExternalLoginInfoAsync(await _userManager.GetUserIdAsync(user));
if (info == null)
{
return RedirectToAction(nameof(ManageLogins), new { Message = ManageMessageId.Error });
}
var result = await _userManager.AddLoginAsync(user, info);
var message = result.Succeeded ? ManageMessageId.AddLoginSuccess : ManageMessageId.Error;
return RedirectToAction(nameof(ManageLogins), new { Message = message });
}
}


Could it be the order of how startup.cs is arranged?

This is the request/response

enter image description here

Answer

I've got confirmed by aspnet team working on Security repo that this is a bug (see this issue) and resolved until next release. A temporary workaround is to set a cookie named

Identity.External

to null, which is created upon adding external login to your account.

if (Request.Cookies["Identity.External"] != null)
{
     Response.Cookies.Delete("Identity.External"); 
}
Comments