2

I have a Asp.NET Core MVC application that Controller always gets invoked from the View. I am now extending the application by exposing new API endpoint which can be called from outside like Postman.

I am facing an issue of getting 405 - Method Not Allowed when I put [Authorize] attribute on top of my controller. without this attribute I can hit the endpoint and the Model gets bounded with the values I provided from postman as expected.

Below is how my controller looks like:

[Authorize]
[Route("api/v1/auth")]
public class ApiAuthController : Controller
{
    [HttpPost("changePassword")]
    public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordModel model)
    {
        return null;
    }

}

It might worth to mention that, this application is the same application that provides the Bearer token which I later use in the postman.

Below is the postman: enter image description here

enter image description here

In my Startup.cs file I have the following settings related to IdentityServer and Authorization:

        services
            .AddIdentityServer(options =>
            {
                options.Events.RaiseErrorEvents = true;
                options.Events.RaiseInformationEvents = true;
                options.Events.RaiseFailureEvents = true;
                options.Events.RaiseSuccessEvents = true;
            })
            .AddSigningCredential(cert)
            .AddAspNetIdentity<IdentityUser>()               
            .AddAuthentication()
Improve this question
6
  • 1
    It would help if you can show how authorization is configured in your Startup.cs Commented Dec 19, 2019 at 12:25
  • ApiAuthController should inherit from ControllerBase and you should add the ApiController attribute. Commented Dec 19, 2019 at 13:10
  • @RuardvanElburg, I doubt if that has to do anything with whether it's inherited from Controller or ControllerBase, I have tried with ControllerBase and same thing is happening. Commented Dec 19, 2019 at 13:15
  • 2
    @Benjamin Maybe you could try disabling Automatically follow redirects in Postman - Settings - General. I wonder if IdentityServer is redirecting your request to the login page while preserving the POST method, which causes the 405 response. Commented Dec 19, 2019 at 13:32
  • @scharnyw, that was an interesting point. I disabled that option, and right now I am keep getting "302- Found" back. I still don't understand what prevents me reaching the method in the Controller. Commented Dec 19, 2019 at 13:40

1 Answer 1

Reset to default
7

It appears that you are not authenticated and IdentityServer is trying to redirect you either to login page or access denied page, hence the 302 response. Meanwhile Postman handles 302 in a way that is different from most web browsers, which is following the redirect but preserving the POST method (instead of changing to GET). This leads to a POST request to the login page that finally results in a 405 Method Not Allowed response.

This should not happen in most web browsers as they would change the HTTP method to GET upon receiving a 302 response. But to work around this issue for browsers or user agents that don't do this, you can try:

services.ConfigureApplicationCookie(options =>
{
    options.Events.OnRedirectToAccessDenied =
        options.Events.OnRedirectToLogin = context =>
        {
            if (context.Request.Method != "GET")
            {
                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
                return Task.FromResult<object>(null);
            }
            context.Response.Redirect(context.RedirectUri);
            return Task.FromResult<object>(null);
        };
});

This should send a 401 Unauthorized response instead of a 302 response when the method is not GET.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, This answer helped me to narrow down the issue, Now I need to figure out why can't I authenticate using the Bearer token that I have.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.