ASP.NET Web API : Correct way to return a 401/unauthorised response

c# asp.net-mvc authorization
GoatInTheMachine picture GoatInTheMachine · Jul 3, 2015 · Viewed 123.1k times · Source

I have an MVC webapi site that uses OAuth/token authentication to authenticate requests. All the relevant controllers have the right attributes, and authentication is working ok.

The problem is that not all of the request can be authorised in the scope of an attribute - some authorisation checks have to be performed in code that is called by controller methods - what is the correct way to return a 401 unauthorised response in this case?

I have tried throw new HttpException(401, "Unauthorized access");, but when I do this the response status code is 500 and I get also get a stack trace. Even in our logging DelegatingHandler we can see that the response is 500, not 401.

Answer

LukeH picture LukeH · Jul 3, 2015

You should be throwing a HttpResponseException from your API method, not HttpException:

throw new HttpResponseException(HttpStatusCode.Unauthorized);

Or, if you want to supply a custom message:

var msg = new HttpResponseMessage(HttpStatusCode.Unauthorized) { ReasonPhrase = "Oops!!!" };
throw new HttpResponseException(msg);

Related questions

Redirecting unauthorized controller in ASP.NET MVC

I have a controller in ASP.NET MVC that I've restricted to the admin role: [Authorize(Roles = "Admin")] public class TestController : Controller { ... If a user who is not in the Admin role navigates to this controller they are greeted with …

Read More
Authorize Attribute with Multiple Roles

I would like to add Authorization to a controller, for multiple Roles at once. Normally that would look like this: [Authorize(Roles = "RoleA,RoleB,RoleC")] public async Task<ActionResult> Index() { } But I have stored my Roles in consts, …

Read More
How to implement custom authentication in ASP.NET MVC 5

I'm developing an ASP.NET MVC 5 application. I have an existing DB, from which I created my ADO.NET Entity Data Model. I have a table in that DB which contains "username" and "password" column, and I want to use …

Read More