locked
OPEN id connect authentication issues RRS feed

  • Question

  • User-897025274 posted
    pardon me if this is a basic question.
    We have our own auth server with login page.
    All i have to do is redirect to that auth page and check if the user is authenticated or not in my web app.
    I have followed sample from this path
    http://www.cloudidentity.com/blog/2014/07/24/protecting-an-asp-net-webforms-app-with-openid-connect-and-azure-ad/
    Where I change start up method as follows
    app.UseCookieAuthentication (new CookieauthenticationOptions());
    app.UseOpenIdAuthentication(new OpenIdAuthenticationOptions{
    ClientId="****",
    Authority="my auth server url",
    Redirecturi= "https://localhost:****",
    Response type="token",
    Scope="openid"
    );
    While redirecting to login page and getting consent are successful, authentication fails.
    That is ,request.isauthenticated is always false hence it forms redirect loop.
    Please advice if my approach is right.are there any sample that suits my need?

    Krishna

    Tuesday, July 17, 2018 9:58 AM

All replies

  • User1724605321 posted

    Hi krishkumar_s,

    Please try capturing a fiddler network trace and see where the loop is happening and if there's anything wrong about the request.

    Best Regards,

    Nan Yu

    Wednesday, July 18, 2018 5:27 AM
  • User2131352234 posted

    Register a new application using the Azure portal Quickstart: Register apps with Microsoft identity platform<svg width="24px" height="24px" viewbox="0 0 24 24"><g id="external_link" class="icon_svg-stroke" stroke="#666" stroke-width="1.5" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><polyline points="17 13.5 17 19.5 5 19.5 5 7.5 11 7.5"></polyline><path d="M14,4.5 L20,4.5 L20,10.5 M20,4.5 L11,13.5"></path></g></svg>

    ASP.NET | Open-source web framework for the .NET<svg width="24px" height="24px" viewbox="0 0 24 24"><g id="external_link" class="icon_svg-stroke" stroke="#666" stroke-width="1.5" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><polyline points="17 13.5 17 19.5 5 19.5 5 7.5 11 7.5"></polyline><path d="M14,4.5 L20,4.5 L20,10.5 M20,4.5 L11,13.5"></path></g></svg> web app to sign in personal accounts and work and school accounts from any Azure Active Directory (Azure AD) instance.

    OWIN middleware NuGet packages

    Install-Package Microsoft.Owin.Security.OpenIdConnect
    Install-Package Microsoft.Owin.Security.Cookies
    Install-Package Microsoft.Owin.Host.SystemWeb

    OWIN Startup Class The OWIN middleware uses a startup class that runs when the hosting process initializes. In this quickstart, the startup.cs file located in the root folder. The following code shows the parameter used by this quickstart

    OWIN Startup Class The OWIN middleware uses a startup class that runs when the hosting process initializes. In this quickstart, the startup.cs file located in the root folder. The following code shows the parameter used by this quickstart

    public void Configuration(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    //change Cookies AuthenticationType app.UseCookieAuthentication(newCookieAuthenticationOptions()); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { // Sets the ClientId, authority, RedirectUri as obtained from web.config ClientId = clientId, Authority = authority, RedirectUri = redirectUri, // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page PostLogoutRedirectUri = redirectUri, Scope = OpenIdConnectScope.OpenIdProfile, // ResponseType is set to request the id_token - which contains basic information about the signed-in user ResponseType = OpenIdConnectResponseType.IdToken, // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter TokenValidationParameters = new TokenValidationParameters() { ValidateIssuer = false // Simplification (see note below) }, // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method Notifications = new OpenIdConnectAuthenticationNotifications { AuthenticationFailed = OnAuthenticationFailed } } ); }

    ASP.NET MVC / Web API
    //You can force a user to sign in by requesting an authentication challenge in your controller:
    public void SignIn() { if (!Request.IsAuthenticated) { HttpContext.GetOwinContext().Authentication.Challenge( new AuthenticationProperties{ RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType); } }

    ASP.NET Web Form:

     protected void Login_click(object sender, EventArgs e)
            {
                if (!Request.IsAuthenticated)
                {
                    HttpContext.Current.GetOwinContext().Authentication.Challenge(
                        new AuthenticationProperties { RedirectUri = "/" },
                        OpenIdConnectAuthenticationDefaults.AuthenticationType);
                }
            }


    How to fix this :

    Update your application’s Microsoft.Owin.Host.SystemWeb package be at least version  and Modify your code to use one of the new cookie manager classes, for example something like the following:

    app.UseCookieAuthentication(new CookieAuthenticationOptions 
    { 
        AuthenticationType = "Cookies", 
        CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager() 
    });
    Friday, March 27, 2020 7:55 PM