puri
puri

Reputation: 1849

Azure OpenID Connect via OWIN Middleware resulting in Infinite Redirect Loop

I have setup OpenID Connect authentication in my ASP.NET MVC application using OWIN Middleware.

As this Fiddler output shows, once successfully logging in via Azure OpenID Connect, the browser continually loops back and forth between my site.azurewebsites.net and login.windows.net.

Fiddler loop

I have ensured following keys are correctly matching Azure AD information

<add key="ida:AADInstance" value="https://login.windows.net/{0}" />
<add key="ida:Tenant" value="******.onmicrosoft.com" />
<add key="ida:ClientId" value="*******" />
<add key="ida:PostLogoutRedirectUri" value="*********" />

And my Start.cs code is as follows

 private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
    private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
    private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
    private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];

    private string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);

    IAuthorizationService authorizationService = new AuthorizationService();

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {

            ExpireTimeSpan =TimeSpan.FromMinutes(15)
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri}
            });
    }
}

Not sure what is causing this to constantly redirect. I have placed an [Authorize] attribute on the MVC Controller where Post Authentication Redirect Url goes.

Upvotes: 14

Views: 11029

Answers (5)

shubham mahore
shubham mahore

Reputation: 163

To resolve this issue: you can upgrade your application to use ASP.NET Core. If you must continually stay on ASP.NET, perform the following: Update your application’s Microsoft.Owin.Host.SystemWeb package be at least version. Modify your code to use one of the new cookie manager classes, for example something like the following:

app.UseCookieAuthentication(new CookieAuthenticationOptions 
{ 
    AuthenticationType = "Cookies", 
    CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager() 
});

Reference Link

Upvotes: 1

AGDevX
AGDevX

Reputation: 71

I ran into this issue last night in an ASP.NET Framework 4.5.1 MVC app. There were two issues for me.

  1. Trying to access the site using HTTP instead of HTTPS

    • I have localhost, dev, and test (and prod of course) environments running under HTTPS so I didn't have to worry about handling HTTP locally. I have HSTS running everywhere and that solved this problem. See Best way in asp.net to force https for an entire site? for additional info.
  2. Cookie overwriting as described here https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues

    • What worked for me was the Reconfigure the CookieAuthenticationMiddleware to write directly to System.Web's cookie collection fix combined with Katana 3.1.0 has several implementations of ICookieManager available. Older versions can use the following fix.

I was a "I tried everything but nothing works" dev until I found that fix. Hopefully that works for you too.

Upvotes: 4

Sudipta Chaudhari
Sudipta Chaudhari

Reputation: 129

I faced the same issue and fixed it by using nuget package kentor.owincookiesaver. Use code as below:-

public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseKentorOwinCookieSaver();//Workaround for infinite loop between webapp & login page

app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignUpPolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ProfilePolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignInPolicyId));
}

Upvotes: 0

pcl
pcl

Reputation: 67

Fixed this issue by ensuring that request is using https BEFORE redirecting to Azure

            app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = AppConfig.ClientId,
                Authority = AppConfig.Authority,

                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    RedirectToIdentityProvider = context =>
                       {
                           if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
                           {
                               // ensure https before redirecting to Azure
                               if (!context.Request.IsSecure)
                               {
                                   context.Response.Redirect(string.Format("https://{0}{1}", context.Request.Uri.Authority, context.Request.Uri.AbsolutePath));
                                   context.HandleResponse();
                                   return Task.FromResult(0);
                               }
                           }

                           return Task.FromResult(0);
                       },

                    AuthenticationFailed = context =>
                                    {
                                        context.HandleResponse();
                                        context.Response.Redirect(AppConfig.RedirectUri + "SignInError?message=" + context.Exception.Message);
                                        return Task.FromResult(0);
                                    },
                },
            });

Upvotes: 0

Brent Schmaltz
Brent Schmaltz

Reputation: 1161

what is happening here is related to what JuneT noticed. This is related to the default on CookieAuthenticationOptions.CookieSecure == CookieSecureOption.SameAsRequest. Since you started at http, the final redirect is to http. The request that created the 'authcookie' was https from AAD.

I was able to get this working by setting CookieSecure == CookieSecureOption.Always. This means that cookie could leak along with your auth.

Is there must be a way to ensure that pages that auth only will accept connections on https.

Upvotes: 1

Related Questions