Forbid() returns 404

Question

I have returned Forbid() from a web request, and the browser claims its receiving a 404 instead of a 403.

I have added a handler to the cookie authentication like so...

o.Events.OnRedirectToAccessDenied += ctx =>
{
   ctx.Response.StatusCode = (int)HttpStatusCode.Forbidden;

   return Task.FromResult(0);
};

But this doesn't appear to be called.

Thus, why is a method that should return a 403 returning a 404?

Answer 1

I had the same issue. These were my steps to fix it:

1. Temporarily remove all the exception handling like app.UseExceptionHandler("/Home/Error") from Startup. In my case the 404 happened because the exception handling was broken.
2. Then I got the "real" error: My problem was that I had no authentication configured, and therefore no authentication schemes.

After I added the correct authentication options to Startup (in my case I used a custom authentication handler) I got the correct response code:

services.AddAuthentication(LicenseKeyAuthenticationOptions.Scheme)
        .AddScheme<LicenseKeyAuthenticationOptions, LicenseKeyAuthenticationHandler>(LicenseKeyAuthenticationOptions.Scheme, null);

Answer 2

The Forbid() command seems to have an internal ASP.NET MVC controller redirect handling. In case you only want to provide a classic API and want 403 to be returned you should switch the command to

return StatusCode(StatusCodes.Status403Forbidden);

Don't forget to import the using

using static Microsoft.AspNetCore.Http.StatusCodes;

Source: https://stackoverflow.com/a/47708867/828184

So far I'm not aware if this behaviour of Forbid() could be changed.