Rovdjuret Rovdjuret - 3 months ago 64
C# Question

App redirects to Account/AccessDenied on adding Oauth

I've stumbled upon an issue where inconsistently the application redirects the user to

upon adding a social media authentication to the current logged in user. It seems to work the first time the user is logged in, then by trying to add another authentication method it returns the user to

My guess is that something is going wrong with the [Authorize] attribute, but only the second time I try adding external authentication method.


public class ManageController : Controller
// POST: /Manage/LinkLogin
public IActionResult LinkLogin(string provider)
// Request a redirect to the external login provider to link a login for the current user
var redirectUrl = Url.Action("LinkLoginCallback", "Manage");
var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl, _userManager.GetUserId(User));
return Challenge(properties, provider);

// GET: /Manage/LinkLoginCallback
public async Task<ActionResult> LinkLoginCallback()
var user = await GetCurrentUserAsync();
if (user == null)
return View("Error");
var info = await _signInManager.GetExternalLoginInfoAsync(await _userManager.GetUserIdAsync(user));
if (info == null)
return RedirectToAction(nameof(ManageLogins), new { Message = ManageMessageId.Error });
var result = await _userManager.AddLoginAsync(user, info);
var message = result.Succeeded ? ManageMessageId.AddLoginSuccess : ManageMessageId.Error;
return RedirectToAction(nameof(ManageLogins), new { Message = message });

Could it be the order of how startup.cs is arranged?

This is the request/response

enter image description here


I've got confirmed by aspnet team working on Security repo that this is a bug (see this issue) and resolved until next release. A temporary workaround is to set a cookie named


to null, which is created upon adding external login to your account.

if (Request.Cookies["Identity.External"] != null)