We have an Angular JS application with an MVC backend that uses WIF to authenticate a user using Azure ASC. The MVC controllers have an [Authorize]
attribute so when an unauthenticated user attempts to access a page that requires authentication they receive a 401 error.
So the process is as follows:
- Attempt to access
Home/Index
- Receive 401 error
- Angular httpInterceptor picks up on the 401 and redirects to unauthorized (login) page using $location.path("/unauthorized");
- User clicks login button and is redirected to Azure ACS to authenticate.
- After successful authentication user is directed back to the site with an authentication token and can access protected resources.
The angular httpInterceptor:
// On response failture
responseError: function (rejection)
{
// console.log(rejection); // Contains the data about the error.
if (rejection.status == 401)
{
$location.path("/unauthorized");
return $q.when(rejection);
}
// Return the promise rejection.
return $q.reject(rejection);
}
When I first load up the page all browsers behave as expected.
The problem happens when I log out. With all the browsers apart from IE the following occurs
- Perform single-signout by redirecting to signout URL.
- After sign-out get redirected back to default page but since I now have no authentication token I receive a 401
- I am redirected to the unauthorized (login) page
However when using IE the 401 doesn't happen in step 2 above. So the signout occurs but the default page loads. None of the angular scripts load because I load all of the angular controllers, services and directives inside the following razor statement:
@if (User.Identity.IsAuthenticated)
{
//load angular files here
}
When I look at what is happening with fiddler I can see that the 401 doesn't happen with IE
http://i.imgur.com/Of53mEY.png
but it does with the other browsers:
http://i.imgur.com/g1GmVw3.png
Why doesn't the 401 happen on IE like the other browsers?