ASP.NET MVC - Same authentication between two applications

Question

I have created two MVC applications that share the same authentication. In the applications I'm using different user roles that can be assigned to every user. When I log in as an administrator, everything works fine, I log in to the first application and the same cookie is used to log in to the second application, no login prompts involved.

When I log in as a user with a different role assigned to them, the login screen pops up again after logging in to the first application and it doesn't go away, even if I log in there also.

The applications are both on the same IIS server. The machine key is configured correctly in IIS server (obviously, since it works if I log in as a user with the administrator role assigned) and here is the code in Startup.Auth.cs for both applications:

1st Application:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    CookieName = "DefaultCookie",
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

2nd Application:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    CookieName = "DefaultCookie",
    AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("./Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
        OnApplyRedirect = ApplyRedirect
    },
});

private static void ApplyRedirect(CookieApplyRedirectContext context)
{
    Uri absoluteUri;
    if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri))
    {
        var path = PathString.FromUriComponent(absoluteUri);
        Trace.WriteLine(path);
        if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
            context.RedirectUri = "/Account/Login" +
                new QueryString(
                    context.Options.ReturnUrlParameter,
                    context.Request.Uri.AbsoluteUri);
    }
    context.Response.Redirect(context.RedirectUri);
}

Does anyone know why this is happening and what I can do to fix it?

Answer 1

This is an authorization issue, not an authentication issue. If you can share the login at all, i.e. in the case of your admin user, then everything is fine on that front. However, the user's role must be authorized to access the controller/action or they will still be redirected to the login page, even though they are already authenticated. This is intended as an opportunity for them to re-authenticate with an account with the appropriate privileges, since the one they used apparently does not have access.

Long an short, you need to ensure that whatever controller(s)/action(s) you want the user to be able to access allow the role that is assigned to them.