2

I developed a login system using Web Api 2..... all worked perfectly, but suddenly it stopped working when user enters wrong password at login screen.

When user and password are correct, the token is correctly gotten and user is logged in.

But when user or password is wrong, it is getting a Bad Request response. This worked before, so i don't know what happened.

When debugging, I could see that OAuthAuthorizationServerProvider set the invalid_grant in such a case, in this code:

        var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();

        ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);

        if (user == null)
        {
            context.SetError("invalid_grant", "El nombre de usuario o la contraseña no son correctos.");
            return;
        }

        if (user.Locked)
        {
            context.SetError("invalid_grant", "El usuario está bloqueado. Contáctese con el administrador.");
            return;
        }

Unfortunately, I cannot debug further, so I could not know what happens after the "return".

Any idea what is happening?

These are the headers of the response (url is /Token)

Cache-Control   
private
Content-Length  
4901
Content-Type    
text/html; charset=utf-8
Date    
Fri, 30 Nov 2018 23:44:15 GMT
Expires 
-1
Pragma  
no-cache
Server  
Microsoft-IIS/10.0
X-Powered-By    
ASP.NET
X-SourceFiles   
=?UTF-8?B?QzpcV29ya2luZ0ZvbGRl…Edlc3RvckRvY1dlYlxUb2tlbg==?=
jstuardo
  • 3,901
  • 14
  • 61
  • 136
  • Maybe this will help: https://stackoverflow.com/questions/25032513/how-to-get-error-message-returned-by-dotnetopenauth-oauth2-on-client-side – Tarik Tutuncu Dec 05 '18 at 14:10
  • @TarikTutuncu that helped partially. I could change the status code from 400 to 401, but it was impossible to retrieve the error message set in GrantResourceOwnerCredentials. I am trying to get it from JavaScript. When the 401 status code is received by the Ajax request, a "fail" method is run with a XHR object as parameter. I could not retrieve the errror message from that object. Do you have a clue? – jstuardo Dec 06 '18 at 22:21
  • try https://stackoverflow.com/a/42107717. when your auth handler fails it returns and the next handler receives it. if there's no other handler it goes to the default. if you haven't set a default redirect the app server doesn't know what to do, so you get a 400. GrantResourceOwnerCredentials shouldn't be leaking, that's insecure. the app server just doesn't have a route – user326608 Dec 10 '18 at 05:54
  • @jstuardo what is your route prefix? this might help you: https://stackoverflow.com/questions/34946072/web-api-2-bad-request – Ricardo Dec 10 '18 at 06:03

0 Answers0