{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 We Are One 的问题《App redirects to Account/AccessDenied on adding Oa》','https://www.manongdao.com/q-1319266.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've stumbled upon an issue where inconsistently the application redirects the user to Account/AccessDenied/ upon adding a social media authentication to the current logged in user. It seems to work the first time the user is logged in, then by trying to add another authentication method it returns the user to Account/AccessDenied?ReturnUrl=%2Fmanage%2Flinklogincallback.
My guess is that something is going wrong with the [Authorize] attribute, but only the second time I try adding external authentication method.
ManageController
[Authorize]
public class ManageController : Controller
{
//
// POST: /Manage/LinkLogin
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult LinkLogin(string provider)
{
// Request a redirect to the external login provider to link a login for the current user
var redirectUrl = Url.Action("LinkLoginCallback", "Manage");
var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl, _userManager.GetUserId(User));
return Challenge(properties, provider);
}
//
// GET: /Manage/LinkLoginCallback
[HttpGet]
public async Task<ActionResult> LinkLoginCallback()
{
var user = await GetCurrentUserAsync();
if (user == null)
{
return View("Error");
}
var info = await _signInManager.GetExternalLoginInfoAsync(await _userManager.GetUserIdAsync(user));
if (info == null)
{
return RedirectToAction(nameof(ManageLogins), new { Message = ManageMessageId.Error });
}
var result = await _userManager.AddLoginAsync(user, info);
var message = result.Succeeded ? ManageMessageId.AddLoginSuccess : ManageMessageId.Error;
return RedirectToAction(nameof(ManageLogins), new { Message = message });
}
}
Could it be the order of how startup.cs is arranged?
This is the request/response
workaround helped me until it’s resolved by asp.net team
I too faced the same issue. I was using the code from IdentityServer4 QuickStart sample from here
I had to change the code to the following to fix the issue.
Instead of just using the constant 'external' from the
IdentityServerConstants.ExternalAUthenticationSchemeI had to obtain the scheme used to identify external authentication cookies from the cookie options of the current identity system used by the app. That is what fixed the issue for me.If you've set
config.SignIn.RequireConfirmedEmail = trueinStartup.csand theEmailConfirmedfield isfalsefor an externally authenticated user (e.g. Facebook login), on subsequent logins, you'll be directed to theAccount/AccessDenied/action method.I've got confirmed by aspnet team working on Security repo that this is a bug (see this issue) and resolved until next release. A temporary workaround is to set a cookie named
to null, which is created upon adding external login to your account.
@Rovdjuret's workaround helped me until it’s resolved by asp.net team. Here is my controller Login action:
Update: In the latest version (as of May 2017) the cookies have prefix ".AspNetCore.". So cookie name should be ".AspNetCore.Identity.External"