How to protect child applications using OWIN and AzureAD and OpenID Connect

Question

User-209105085 posted

I have .Net web application (Web Form) which is developed using .Net 4.5.1. Lets call this as "Main" application. In Main application i have implemented Authentication using Azure AD + OWIN + OpenID Connect. The authentication process is working fine so far.

Now i have to authorize the access to resources inside Main application, and as well as authorize access to child applications.

We have 3 other applications (MVC, WCF Services) all developed in 4.5.1. The Main application is hosted in IIS as default web site, and these 3 other applications are added as virtual directory under the main application. So we can access it as

   www.main.com   
   www.main.com/mvcapp   
   www.main.com/wcfservice1   
   www.main.com/wcfservice2

i want to protect child applications from anonymous access. So i added authorize element in Main application's web.config. I am guessing because of inheritance the Authorize tag will apply to child applications as well. Here is my complete web.config

<configuration>
  <appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
    <add key="owin:AutomaticAppStartup" value="true" />
    <add key="ida:ClientId" value="someclientid" />
    <add key="ida:Tenant" value="mytenant.onmicrosoft.com" />
    <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
    <add key="ida:PostLogoutRedirectUri" value="http://localhost/Default.aspx" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5.1" />
    <httpRuntime targetFramework="4.5.1" />
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
  <location path="Default.aspx">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

Note that default.aspx is excluded from authentication. I have OWIN startup class in main application. and Default.aspx redirects user if he is not authenticated

public class Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        SignIn();
    }

    public void SignIn()
    {
        // Send an OpenID Connect sign-in request.
        if (!System.Web.HttpContext.Current.Request.IsAuthenticated)
        {
            HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
        }
    }
}

with such settings user can access the main application after authentocated however if authenticated user tries to access any child application he gets access denied error. Not sure why authentication ticket is not carried down to child applications.

I do not have any authentication or authorized attribute configured in child application. I do not have any OWIN setup in child applications.

 

Answer 1

User614698185 posted

Hi lax4u,

if authenticated user tries to access any child application he gets access denied error. Not sure why authentication ticket is not carried down to child applications

Authentication ticket is Forms Authentication. If you want to use Forms Authentication across applications, you need to set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications.

Please see: https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx

In the application that hands authentication you can create and store the authentication ticket. This will setup the cookie and ticket so it can be consumed by each application.

// Gets the cookie  
var cookie = FormsAuthentication.GetAuthCookie(username, rememberMe);  
  
// Gets an authentication ticket with the appropriate default and configured values.  
var ticket = FormsAuthentication.Decrypte(cookie.Value);  
var newTicket = new FormsAuthenticationTicket(  
                            ticket.Version,  
                            username,  
                            createDate,  
                            expirationDate,  
                            isPersistent,  
                            userDate);  
  
var encryptedTicket = FormsAuthentication.Encrypt(newTicket);  
cookie.Value = encryptedTicket;  
Response.Cookies.Add(cookie); 

To read the cookie you can use this code:

var cookieName = FormsAuthentication.FormsCookieName;  
var authCookie = Request.Cookies[cookieName];  
  
//This could throw an exception if it fails the decryption process. Check MachineKeys for consistency. 
var authenticationTicket = FormsAuthentication.Decrypt(authCookie.Value);  
  
// Retrieve information from the ticket  
var username = authenticationTicket.Name;  
var userData = authenticationTicket.UserData; 

Please see: http://www.shawnmeyer.com/2013/10/sharing-forms-authentication-tickets-between-applications/

Best Regards,

Candice Zhou

Answer 2

User-209105085 posted

Thanks

But i do not want to use Forms Authentication. Infact we were using FormsAuthetication but now we want to move to new authentication using OWIN + Azure AD.  I used "Authetication Ticket" as in general word not specific to Forms Authentication. When Azure AD authenticate user it must issue **something**, ( I called it Authentication Ticket )

In forms authentication there is an option you can specify where you want to redirect anonymous users.

<authentication mode="Forms">
        <forms loginUrl="~/Login" />
</authentication>

<authorization>
  <deny users="?"/>
</authorization>

 so when anonemous users tries to access any resource ( including child applications) under main application he would get redirected to login page.  There was no need to do any configuration in child application. It was all taken care by parent application

How do i achieve the same with OWIN + Azure AD

Answer 3

User-209105085 posted

here is my answer

http://stackoverflow.com/questions/35612486/owin-iis-throws-access-denied-for-authenticated-user-while-accessing-child-appl/35662881#35662881