How to override authentication behavior?


I have a MVC project running episerver and are setting up identityserver authentication. Logging in and out works just fine, but when I try to access a page that require a role I get stuck in a redirect loop:

  • Epi says I am unauthorized (due to missing role, i am authenticated) and redirects to IDS
  • IDS says I am authenticated (I am, but I am missing a role to access a specific page) and redirects me back to Epi.

So what I would like to do is to hook up in the EPI authorization chain and redirect users that are unauthorized due to roles to a friendly page telling them that they do not have the required permissions to do this, while unauthenticated users get sent to the IDS.

I've been looking at the ContentController<T> and [AuthorizeContent] attribute but I cant find any way to override or extend or hook into either of those.

What I would really like to avoid is making a custom attribute and sticking this on every controller, or making a base controller that everything has to inherrit because it is a pretty large project with a lot of controllers and more being added regularly.

Dec 11, 2018 15:00

Hi Kent

Once its configured correctly you should not need to do any custom work and use the built in authentication mechanisms. This is a great post which describes setting up IdentityServer with Episerver: 

It might be worth comparing the configuration?


Dec 11, 2018 16:05
Dec 11, 2018 16:07

Shameless own post bump about Episerver and OIDC: Using OpenID Connect with Episerver

Alloy sample site sources in GitHub.

You are most likely missing the check for is authenticated but got 401 HTTP status code response in the 'RedirectToIdentityProvider' handler, have a look at this startup.cs file (if the user is authenticated but the HTTP response code is 401, return HTTP 403 (Forbidden) as user is missing some rigths to access the content).

Dec 11, 2018 20:52
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.