In ASP.NET Core 2 Microsoft are pretty insistent that all authorization tasks are done using policies and requirements. Using the most basic example I can think of:
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("MyPolicy", p => p.RequireAssertion(a => false));
});
}
}
Above I add a policy with an assertion that always fails in place of a full requirement, just to illustrate my point. And below is a simple controller with two actions, where access to the second is denied by the above policy.
public class HomeController : HomeController
{
public IActionResult Allow() => View();
[Authorize("MyPolicy")]
public IActionResult Deny() => View();
}
This kind of works as expected. I am indeed denied access to the second action, but I am redirected to https://localhost:44331/Account/AccessDenied?ReturnUrl=%2FHome%2FDeny
.
As far as I can tell I have not actually told my app where to send users when a policy requirement isn't met, nor can I work out how to do so.
How do I specify where a user should be redirected to when a requirement isn't met? Also, is it possible to redirect to different places dependent on the policy/requirement?
UPDATE:
Just to be clear, I am using ASP.NET Core Identity in my application. And the answer to the first part of my question is to set the AccessDeniedPath
property when configuring the application cookie:
services.ConfigureApplicationCookie(o =>
{
o.AccessDeniedPath = "/Some/Path";
});
But this means that I am stuck redirecting to the same page regardless of what policy/requirement denied access. Is there any way of deciding where to redirect based on the policy or requirement?