Reputation: 1849
I have setup OpenID Connect authentication in my ASP.NET MVC application using OWIN Middleware.
As this Fiddler output shows, once successfully logging in via Azure OpenID Connect, the browser continually loops back and forth between my site.azurewebsites.net and login.windows.net.
I have ensured following keys are correctly matching Azure AD information
<add key="ida:AADInstance" value="https://login.windows.net/{0}" />
<add key="ida:Tenant" value="******.onmicrosoft.com" />
<add key="ida:ClientId" value="*******" />
<add key="ida:PostLogoutRedirectUri" value="*********" />
And my Start.cs code is as follows
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
private string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
IAuthorizationService authorizationService = new AuthorizationService();
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
ExpireTimeSpan =TimeSpan.FromMinutes(15)
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri}
});
}
}
Not sure what is causing this to constantly redirect. I have placed an [Authorize]
attribute on the MVC Controller where Post Authentication Redirect Url goes.
Upvotes: 14
Views: 11029
Reputation: 163
To resolve this issue: you can upgrade your application to use ASP.NET Core. If you must continually stay on ASP.NET, perform the following: Update your application’s Microsoft.Owin.Host.SystemWeb package be at least version. Modify your code to use one of the new cookie manager classes, for example something like the following:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager()
});
Upvotes: 1
Reputation: 71
I ran into this issue last night in an ASP.NET Framework 4.5.1 MVC app. There were two issues for me.
Trying to access the site using HTTP instead of HTTPS
Cookie overwriting as described here https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
I was a "I tried everything but nothing works" dev until I found that fix. Hopefully that works for you too.
Upvotes: 4
Reputation: 129
I faced the same issue and fixed it by using nuget package kentor.owincookiesaver
. Use code as below:-
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseKentorOwinCookieSaver();//Workaround for infinite loop between webapp & login page
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignUpPolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ProfilePolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignInPolicyId));
}
Upvotes: 0
Reputation: 67
Fixed this issue by ensuring that request is using https BEFORE redirecting to Azure
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = AppConfig.ClientId,
Authority = AppConfig.Authority,
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = context =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
{
// ensure https before redirecting to Azure
if (!context.Request.IsSecure)
{
context.Response.Redirect(string.Format("https://{0}{1}", context.Request.Uri.Authority, context.Request.Uri.AbsolutePath));
context.HandleResponse();
return Task.FromResult(0);
}
}
return Task.FromResult(0);
},
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect(AppConfig.RedirectUri + "SignInError?message=" + context.Exception.Message);
return Task.FromResult(0);
},
},
});
Upvotes: 0
Reputation: 1161
what is happening here is related to what JuneT noticed. This is related to the default on CookieAuthenticationOptions.CookieSecure == CookieSecureOption.SameAsRequest. Since you started at http, the final redirect is to http. The request that created the 'authcookie' was https from AAD.
I was able to get this working by setting CookieSecure == CookieSecureOption.Always. This means that cookie could leak along with your auth.
Is there must be a way to ensure that pages that auth only will accept connections on https.
Upvotes: 1