I’m attempting to setup a custom Rule that authenticates a user based in the user’s group using the Authorization Extension. The custom rule uses the code snippet in Step 2 of the “Using Rules with the Authorization Extension” documentation. The client application is an ASP.NET Core 2 MVC project.
When a user attempts to authenticate into the client applicatoin and is not part of the required Group, the client callback URL (http://localhost:5982/signing-auth0) is displaying a 500 Server Error response with the message, “OpenIdConnectProtocolException: Message contains error: ‘unauthorized’, error_description: 'You are not authorized to access ', error_uri: ‘error_uri is null’.” While the message is what I expected because that’s the message I added to the rule, I would think the response code should be 401 Unauthorized, not a 500 Server Error.
The line of code responsible for the error is:
return callback(new UnauthorizedError('You do not have the required role to access ' + context.clientName));
Is there a way to return a 401 Unauthorized response when throwing an UnathorizedError exception so I don’t have to create an ugly hack in all my clients to determine the true error type to display a user-friendly message?
Update - 12/12/2017
I’m beginning to think the issue is caused by the .NET OpenIDConnect middleware and not an Auth0 issue. Below is a screen capture of the actual error I’m seeing at the callback URL location. The middleware is supposed to handle any calls to the callback URL (/signing-auth0) and is throwing a server error.
I tried adding event handlers for OnAuthenticationFailed and OnRemoteFailure for the OpenIDConnect middleware, but they don’t seem to be getting hit. So I’m still stumped as to how I can gracefully handle this “unauthorized” scenario.