Okta user with no authorization. How to log out in .AspNetCore?

PeteOtto · June 27, 2019, 1:57pm

This is a .AspNetCore MVC application. Big difference between .AspNetCore and standard .AspNet

Okta user, who has no rights to my website, goes to my website and is redirected to Okta to sign in.
User signs in to Okta. User is a valid Okta user, but unauthorized to use my website.
Okta sends user over to my website ( MVC .NetCore ).
In the Startup.cs I catch the failure the OpenIdConnectOption has thrown. The failure message is “User is not assigned to the client application”
I send the user to the Error Page and display a message.
At this point all is good. I want the user to see this message.
I want to have a button where the user can click and be sent back to the Okta login page.
How do I log out the user and/or send him back to the Okta Login Page?

If I try the same Logout as I would other users I get an Invalid Token Error.
If I try to Login the user, the user is not sent over back to the Okta login page. Instead it is sent back to my startup.cs class and the exact same failure is sent to the OpenIdConnectOptions. Hence, I am stuck in a loop. The typical .Net code we see everywhere does not work on the unauthorized user.

How do I stop MVC .NetCore from looping? I need the browser to erase this information on this unknown, no token, invisible person.

Thanks for spending the time to read my question.

This is the .NetCore code I use to catch the failure in the Startup.cs.

services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
            { OnRemoteFailure = context =>
                    {
                        if (context.Failure != null &&
                        context.Failure.Message != null &&
                        context.Failure.Message.Contains("**User is not assigned to the client application**."))
                        {
                            context.Response.Redirect("/Error/NotAssigned");
                        } else {
                            context.Response.Redirect("/Facilities/Index");
                        }
                        context.HandleResponse();

                        return Task.FromResult(0);
                    },

Here is the typical .Net Login/Logout code

 public class AccountController : Controller
    {
        public IActionResult Login()
        {
            if (!HttpContext.User.Identity.IsAuthenticated)
            {
                return Challenge(OktaDefaults.MvcAuthenticationScheme);
            }

            return RedirectToAction("Index", "Facilities");
        }

        [HttpPost]
        public IActionResult Logout()
        {
            return new SignOutResult(new[]
            {
            OktaDefaults.MvcAuthenticationScheme,
            CookieAuthenticationDefaults.AuthenticationScheme
        });
           
        }

PeteOtto · June 28, 2019, 2:00pm

The way around unauthorized user is after AspNetCore gets OnRemoteFailure in the OpenClientID, and then sends the user to the Error Page. Have the user go to their browser setting and delete Cookies. From there the user should be able to enter in the URL again and it will be sent to Okta.

The problem on Microsoft side is, I am unable to delete Cookies from the User Browser. I have no way of telling Microsoft to go back to Okta and start all over again.

PeteOtto · July 1, 2019, 10:36pm

It looks there is no way around this issue, other than to tell the user to close the browser and start over again.

We can say this is a Microsoft problem for sure, but are they alone? Why does Okta send unauthorized User to my Web App? Sounds like a security issue. I think it would be best to display a message on the Okta login screen saying this user is unauthorized, instead of dumping the garbage to me and having me take of it.

Also, it would be nice to have a possible “Add a rule” in the rules for this situation. There is no option for unauthorized user.