locked
Automatically redirect to authentication provider when execution hits [Authorize] RRS feed

  • Question

  • User1907354026 posted

    Hi,

    I have two simple experimental MVC apps, one relies on our internal ADFS to authenticate the other is using Okta.

    The Okta app will automatically redirect to the Okta authentication service when a user accesses an MVC handler decorated with [Authorize] but the ADFS app does not, it simply screams that user is not authorized.

    Of course each app has a Login page and this all works fine, but I do have two questions:

    1. What is enabling the Okta app to infer that it must authenticate automatically when an unauthenticated user hits a [Authorize] method?
    2. What must I do to the ADFS app to get it to behave the same was as the Okta, so that just accessing a [Authorize] method will automatically redirect to Okta?

    Thx

    Thursday, June 13, 2019 6:00 PM

All replies

  • User475983607 posted

    What must I do to the ADFS app to get it to behave the same was as the Okta, so that just accessing a [Authorize] method will automatically redirect to Okta?

    I assume you need an OWIN based ADFS solution or your current ADFS configuration is incorrect.

    https://blogs.msdn.microsoft.com/sakamati/2015/07/06/creating-owin-based-ws-federation-application/

    http://www.cloudidentity.com/blog/2014/02/20/ws-federation-in-microsoft-owin-componentsa-quick-start/

    Thursday, June 13, 2019 6:12 PM
  • User1907354026 posted

    Hi,

    The code we have in our Startup.cs for the ADFS version is:

    App.UseWsFederationAuthentication(
    new WsFederationAuthenticationOptions
    {
    Wtrealm = AppSettings["ida:Wtrealm"],
    MetadataAddress = AppSettings["ida:ADFSMetadata"]
    });

    The rudimentary sign in page handler has this:

    if (!Request.IsAuthenticated)
    {
    HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "StudyMvcApp/Home/Index" },
    WsFederationAuthenticationDefaults.AuthenticationType);
    }

    The sign in works - if we access that we redirect, we login and complete and we can thereafter access methods with [Authorize] on them. But if we do not explicitly sign in and attempt to access an [Authorize] method it fails and we get an error page from IIS (not authorized).

    Clearly I'm new to this area and just trying to understand it all!

    Is there any other information that would help you understand what I'm doing?

    Thx

    Thursday, June 13, 2019 6:26 PM
  • User475983607 posted

    If I assume you forget to configure Cookie Authentication which works with the [Authorize] attribute

    I recommend that you read the links in my previous post which illustrates how to configure Cookie Auth.  

     public void ConfigureAuth(IAppBuilder app)
     {
     app.UseCookieAuthentication(
     new CookieAuthenticationOptions
     {
     AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
     });
     app.UseWsFederationAuthentication(
     new WsFederationAuthenticationOptions
     {
     MetadataAddress = "https://login.microsoftonline.com/2c2a63d4-465c-464d-b7f5-6ccfd0dce5b8/federationmetadata/2007-06/federationmetadata.xml",
     Wtrealm = "https://testService.local/",
     });
     
     app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
     }
    }

    Thursday, June 13, 2019 6:32 PM
  • User1907354026 posted

    Hi,

    Actually those steps are there also (I failed to include them earlier, apologies).

    One difference is we've placed this code in a method Configuration whereas yours is in ConfigureAuth...

    Otherwise it does look like were the same....

    Thursday, June 13, 2019 7:41 PM
  • User475983607 posted

    Hi,

    Actually those steps are there also (I failed to include them earlier, apologies).

    One difference is we've placed this code in a method Configuration whereas yours is in ConfigureAuth...

    Otherwise it does look like were the same....

    Then accessing an action secured by [Authorize] should redirect to the login page.  There must be somehting different about your configuration which we cannot see.

    Thursday, June 13, 2019 7:49 PM
  • User1907354026 posted

    Hmm OK that at least is helpful to know.

    Can you explain how [Authorize] is caused to behave that way? what is it in the code that lies at the heart of that?

    Thx

    Thursday, June 13, 2019 8:11 PM
  • User475983607 posted

    Korporal

    Can you explain how [Authorize] is caused to behave that way? what is it in the code that lies at the heart of that?

    Depends on the default authentication scheme.  In browser based applications an authentication a token is cached within a cookie after a successful authentication.  Browsers submit unexpired cookies to the domain that created the cookie on every request which makes cookies a good vehicle to persisting tokens.   The token is just an encrypted string that has information about the authenticated users; username, claims, roles, email. 

    The .NET framework's Auth Cookie API knows how to read the auth cookie, extract the user values on each request, and use these value to update the current user Principal and authenticate the current request.  The [Authorize] attribute simply checks if the current request is authenticated.  In other words the auth cookie was found and the cookie contained a valid token.

    If you have somehting like this...

    [Authorize(Roles = "Administrator")]

    The request must be authenticated as before and the Principal must be in the Administrator role.

    Thursday, June 13, 2019 8:27 PM