Microsoft.AspnetCore.Identity.UI override access denied path

[madshaun1984]

I've added the following to my Startup.cs, but i am finding that the AccessDeniedPath isn't working to make use of a customized Access Denied page.

`

        services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
        {
            // Use the groups claim for populating roles
            options.TokenValidationParameters.RoleClaimType = "roles";
            options.AccessDeniedPath = new PathString("/Account/AccessDenied"); // This isn't being used??
        });

        //Adding authorization policies that enforce authorization using Azure AD roles.
        services.AddAuthorization(options =>
        {
            options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole(AppRole.UserReaders));
            options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole(AppRole.DirectoryViewers));
        });

        services.AddControllersWithViews(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser() /* Comment this line to remove Authorization site wide */
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        }).AddMicrosoftIdentityUI();
        services.AddRazorPages();

`

Essentially, all I'm trying to do is add a message that prompts the user to try signing out then back in again to see if the issue persists (for changing role tokens).

What options do I have besides not using the Microsoft.AspNetCore.Identity.UI library?

[mkArtakMSFT]

Thanks for contacting us.
The AccessDeniedPath setting is being overriden when you're calling AddMicrosoftIdentityUI. Consider moving the Configure<OpenIdConnectOptions> call in the bottom as follows:

        //Adding authorization policies that enforce authorization using Azure AD roles.
        services.AddAuthorization(options =>
        {
            options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole(AppRole.UserReaders));
            options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole(AppRole.DirectoryViewers));
        });

        services.AddControllersWithViews(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser() /* Comment this line to remove Authorization site wide */
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        }).AddMicrosoftIdentityUI();

 services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
        {
            // Use the groups claim for populating roles
            options.TokenValidationParameters.RoleClaimType = "roles";
            options.AccessDeniedPath = new PathString("/Account/AccessDenied"); // This isn't being used??
        });

        services.AddRazorPages();

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.

[madshaun1984]

Hi @mkArtakMSFT,

Apologies for the delay in response. I have tried this (prior / post opening this issue), yet the Access Denied prompt shown is still the one from the Microsoft.Identity.UI lib.

Could this be an error of some sort? As it seems your suggestion matches what I originally thought, yet in my case, its not working as expected.

Update

It seems this may be due to a mistake on my part. I've just successfully set the AccessDeniedPath using the following,

//Adding authorization policies that enforce authorization using Azure AD roles.
            services.AddAuthorization(options =>
            {
                options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole(AppRole.UserReaders));
                options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole(AppRole.DirectoryViewers));
            });

            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
            {
                // Use the groups claim for populating roles
                options.TokenValidationParameters.RoleClaimType = "roles";
            });

            services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options => {
                options.AccessDeniedPath = new PathString("/Account/AccessDenied");
            });

            services.AddControllersWithViews(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser() /* Comment this line to remove Authorization site wide */
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));
            }).AddMicrosoftIdentityUI();

            services.AddRazorPages();

The confusion here was due to my use of "Microsoft.Identity.Web", but after finding the following, my issue is resolved.

AzureAD/microsoft-identity-web#117

Thanks!