Reputation: 33
ASP.NET Webforms sites with ENTRA ID authentication ClaimsPrincipals problem
I have two ASP.NET (4.8) WebForms webapp on the same IIS server, two different application,with two different AppPools. Name them WebappA and WebappB. Both webapp has been ENTRA ID configured, with role based authorization. (Of course two separate App on Entra)
The problem is: if user logs in to WebappA, WebappB does see the WebappA's Roles and claims. User deletes browser cache, logs in to WebappB, then WebappA sees the B's roles. I check the role with the following C# method:
ClaimsPrincipal.Current.IsInRole(Role);
I listed all claims but it looks like the last loggen in Webapp gives the claims. My StartUp.cs look like this for WebappA, but same to WebappB with different ClientID and URLs of course:
public class Startup
{
public string ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
public string redirectUri = "https://webappAsredirecturi";
public string postlogout = "https://webappAslogout";
public string metadataAddress = "https://login.microsoftonline.com/";
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
var hubConfiguration = new HubConfiguration();
hubConfiguration.EnableDetailedErrors = true;
app.MapSignalR();
}
public void ConfigureAuth(IAppBuilder app)
{
IdentityModelEventSource.ShowPII = true;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
app.UseOpenIdConnectAuthentication(CreateOptions());
app.UseStageMarker(PipelineStage.Authenticate);
}
public OpenIdConnectAuthenticationOptions CreateOptions()
{
var option = new OpenIdConnectAuthenticationOptions();
option.MetadataAddress = "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration";
option.RedirectUri = redirectUri;
option.PostLogoutRedirectUri = postlogout;
option.ClientId = ClientID;
option.Scope = "openid email profile";
option.ResponseType = "code id_token";
option.ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
option.Authority = "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
return option;
}
}
What do i do wrong? Other ENTRA using apps on the same server does not interfere, but that are .NET 7 sites, not the same framework. Thank you!
Upvotes: 0
Views: 34
Answers (0)
Related Questions
- Content-Security-Policy in ASP.NET WebForms
- Entra ID Schema Extension with custom Namespace
- Forms authentication ASP.NET webforms
- Why does ASP.NET webforms need the Runat="Server" attribute?
- Dropdownlist control with <optgroup>s for asp.net (webforms)?
- ASP.Net WebForms using Windows Authentication
- Authentication problem between ASP.Net Webforms app and a ASP.Net webservice