troubleshooting Question

Response.Redirect with Headers in .Net Core

Avatar of Kyle Abrahams
Kyle AbrahamsFlag for United States of America asked on
.NET ProgrammingC#ASP.NET* JWT* .net core
16 Comments1 Solution305 ViewsLast Modified:
Hi All,

Trying to bring this authorization workflow together.

Essentially I have a protected service that requires a JWT bearer token.
I have an authorization service that generates a JWT bearer token.

In My Startup for the protect service:

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
         app.UseStatusCodePages(async context =>
            {
                var request = context.HttpContext.Request;
                var response = context.HttpContext.Response;
                var path = request.Path.Value ?? "";

                if ( 
                        (response.StatusCode == (int)HttpStatusCode.Unauthorized || response.StatusCode == (int)HttpStatusCode.Forbidden)
                    && !request.Headers.ContainsKey("Authorization")
                   )
                {
                    var redirect = context.HttpContext.AbsoluteURL();
                    response.Redirect(config["JWT:AuthorizationServiceRedirect"] + config["AppID"] + "?redirectTo=" + redirect);
                }
            });
}

Essentially what this does it redirects to the Authorization service if the response fails.  No issues no problems there.

My authorization service also generates the JWT token. Part of that controller's code is:



            string redirect = HttpContext.Request.Query["redirectTo"].ToString();

            if (!String.IsNullOrEmpty(redirect))
            {
                Response.Headers.Add("Authorization", "Bearer " + dto.user.token);
                Response.Redirect(redirect);
            }

Which brings it back to my protected service.  In theory this Response should now contain the bearer token, however the protected service not letting it thru.  Upon inspecting the headers I don't see anything there.  From my research the headers aren't passed along on the redirect, so what's best practice on getting this to work and are there any security issues with the above?
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 16 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 16 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros