Renvoyer 405 via OAuthAuthorizationServerProvider

Bonjour,

Je travail en Framework 4.8 (pas le choix) et je mets en place une authentification de type bearer.
Pour des raison de sécurité, je souhaite autoriser uniquement un appel en POST pour la demande de token.
Code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 public class AuthorizationServerProvider : OAuthAuthorizationServerProvider { public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { if (!context.Request.Method.Equals(HttpMethod.Post.Method, StringComparison.OrdinalIgnoreCase)) { context.Response.StatusCode = (int)HttpStatusCode.MethodNotAllowed; context.SetError("invalid_request", "The request method must be POST."); return Task.FromResult(0); } context.Validated(); return Task.FromResult(0); } }
Mon retour est bien le suivant :
Code:

1 2 3 4 { "error": "invalid_request", "error_description": "The request method must be POST." }
Mais le code retour HTTP de l'appel reste 400 alors que j'attends 405.
Lorsque je mets un point d'arrêt à la ligne 9, j'ai bien le 405 dans context.Response.StatusCode.

Une idée de ce qui ne va pas ?
Merci.

Est-ce-que ça peut venir d'un filter qui réécrit le status code de la réponse ?

Je n'ai pas de filtre.

Global.asax.cs :

Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 public class WebApiApplication : HttpApplication
 {
     protected void Application_Start()
     {
         GlobalConfiguration.Configure(WebApiConfig.Register);
     }
 
     protected void Application_BeginRequest()
     {
         if (HttpContext.Current.Request.Url.AbsolutePath.Equals("/", StringComparison.Ordinal))
         {
             HttpContext.Current.Response.Redirect("/api/default", true);
         }
 
         HttpContext.Current.Response.AddHeader("Cache-Control", "no-store");
         HttpContext.Current.Response.AddHeader("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'");
         HttpContext.Current.Response.AddHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=()");
         HttpContext.Current.Response.AddHeader("Pragma", "no-cache");
         HttpContext.Current.Response.AddHeader("Referrer-Policy", "no-referrer");
         HttpContext.Current.Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
         HttpContext.Current.Response.AddHeader("X-Content-Type-Options", "nosniff");
         HttpContext.Current.Response.AddHeader("X-DNS-Prefetch-Control", "off");
         HttpContext.Current.Response.AddHeader("X-Download-Options", "noopen");
         HttpContext.Current.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
         HttpContext.Current.Response.AddHeader("X-Permitted-Cross-Domain-Policies", "none");
         HttpContext.Current.Response.AddHeader("X-XSS-Protection", "1; mode=block");
     }
 }

Startup.cs :

Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        ConfigureOAuth(app);
 
        HttpConfiguration config = new HttpConfiguration();
        WebApiConfig.Register(config);
    }
 
    public void ConfigureOAuth(IAppBuilder app)
    {
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
 
 
        OAuthAuthorizationServerOptions OAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/token"),
            Provider = new AuthorizationServerProvider(),
            AccessTokenExpireTimeSpan = TimeSpan.FromHours(1),
            AllowInsecureHttp = false// Set to false in production
        };
 
        app.UseOAuthAuthorizationServer(OAuthOptions);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());      
    }
}

WebApiConfig.cs :

Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // Web API configuration and services
 
        // Web API routes
        config.MapHttpAttributeRoutes();
 
        config.Routes.MapHttpRoute(
            name: "PopoApi",
            routeTemplate: "api/{controller}/{id}",
            defaults: new { controller = "Default", id = RouteParameter.Optional }
        );
    }
}

J'ai bien ajouté un module pour filtrer les en-tête mais il ne touche pas au status code.
Extrait du web.config

Code:

1
2
3
4
5
6
7
8
9
10
11
 <system.webServer>
   <modules>
     <add name="RemoveNotSecuredHeaderModule" type="Popo.RestApi.RemoveNotSecuredHeaderModule" />
   </modules>  
   <handlers>
    <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
    <remove name="OPTIONSVerbHandler" />
    <remove name="TRACEVerbHandler" />
    <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
  </handlers>
</system.webServer>

RemoveNotSecuredHeaderModule.cs

Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public class RemoveNotSecuredHeaderModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += (sender, e) =>
        {
            HttpContext.Current.Response.Headers.Remove("Server");
            HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
            HttpContext.Current.Response.Headers.Remove("X-Powered-By");
            HttpContext.Current.Response.Headers.Remove("X-SourceFiles");
        };
    }
 
    public void Dispose() { }
}