CODEWITHSUNDEEP
asp.netweb-configopenid-connectaspnet-contrib
user3624874
user3624874

Reputation: 25

allow anonymous access to .well-known directory

please bear with me: i am pretty new to all of this

i am working on integrating openid connect with a pair of applications developed by the company.

we are using custom/company specific openid connect libraries that are, i think, essentially wrappers around Microsoft.Owin.Security.OpenIdConnect and Owin.Security.OpenIdConnect.Server

in the idP application web.config, we have something like: 

<location path="." inheritInChildApplications="false">
    <authentication mode="Forms">
        <forms loginUrl="~/Login" name="{....}" protection="All" path="/" slidingExpiration="true" requireSSL="false" defaultUrl="~/Home" cookieless="UseCookies" />
    </authentication>
    <authorization>
        <deny users="?" />
        <!-- denies anonymous users to all pages, except those defined under location nodes -->
    </authorization>
</location>

plus a bunch of location nodes to allow/deny access to specific pages/resources

the problem is that when the openid connect stuff tries to access /.well-known/openid-configuration when the user is not logged in (or, it seems in the process of logging in), the response is a 302 redirect to the login page

obviously this is causing problems when a JSON response is expected

i have tried adding a location node to the web.config:

<location path= "~/.well-known/openid-configuration">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

(i also tried with path = "~/.well-known")

but i am still getting redirected to the login page

to be clear, there is no actual directory /.well-known in the idP application; the file seems to be constructed somewhere in Owin.Security.OpenIdConnect.Server.

Upvotes: 2

Views: 1460

Answers (2)

K&#233;vin Chalet
K&#233;vin Chalet

Reputation: 42020

the file seems to be constructed somewhere in Owin.Security.OpenIdConnect.Server

Yes, it is.

Try calling app.UseStageMarker(PipelineStage.Authenticate) immediately after registering the OIDC server middleware to prevent ASP.NET from applying the authorization policies before it has a chance to be invoked:

app.UseOpenIdConnectServer(options => {
    options.AllowInsecureHttp = true;
});

app.UseStageMarker(PipelineStage.Authenticate);

Note that you shouldn't need an exception for ~/.well-known/openid-configuration in your web.config when using app.UseStageMarker().

Upvotes: 1

Mario C.
Mario C.

Reputation: 13

I'm fairly new too but I think you a path to a .aspx page in the location and the rest is inherited.Just change deny to allow users with the asterix. Also make sure the web.config is in the directory. Sounds like you do but in well-known should be the web.config with allow all users.

<?xml version="1.0"?>
<configuration>

  <location path="Manage.aspx">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>
</configuration>

Upvotes: 0

Related Questions