How to change ".AspNetCore.Identity.Application" cookie expiration? - authentication

I'm using ASP.NET Core with Identity Server and Open Id Connect as described here. I need to change the time of authentication cookie expiration when the Remember Me option is set (14 days by default). I can see that the cookie named ".AspNetCore.Identity.Application" is responsible for that. I'm trying to set the expiration like this:
.AddCookie(options =>
{
options.Cookie.Expiration = TimeSpan.FromDays(1);
options.ExpireTimeSpan = TimeSpan.FromDays(1);
})
But it affects another cookie named ".AspNetCore.Cookies" (containing the same token value), which has Session expiration and doesn't seem to do anything. All the ways to change expiration that I found modify only the ".AspNetCore.Cookies" cookie, I couldn't find any way to modify the ".AspNetCore.Identity.Application" cookie. (By the way, the services.ConfigureApplicationCookie method isn't triggered for me at all for some reason).
Could anyone please explain what is the difference between these two cookies and how can I modify the ".AspNetCore.Identity.Application" expiration?
My code in Startup.ConfigureServices
services.AddMvc(options =>
{
// ...
})
services.AddAuthorization(options =>
{
options.AddPolicy(PolicyNames.UserPolicy, policyBuilder =>
{
// ...
});
});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(options =>
{
options.AccessDeniedPath = "/AccessDenied";
options.SlidingExpiration = true;
})
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = "<authority>";
options.RequireHttpsMetadata = false;
options.ClientId = "<id>";
options.ClientSecret = "<secret>";
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
// ...
});
services.ConfigureApplicationCookie(options =>
{
options.Cookie.Name = "MyCookie";
options.Cookie.Expiration = TimeSpan.FromDays(1);
options.ExpireTimeSpan = TimeSpan.FromDays(1);
});

As Kirk Larkin said ".AspNetCore.Identity.Application" cookie is probably set by the Identity Server application that make use of Asp.Net Identity.
So if you want to manage the user session on the IS4 app you need to configure it there.
IS4 application: ".AspNetCore.Identity.Application" cookie.
If you use Identity to configure the cookie as persistent you need to set the expiration when you sign in the user.
var props = new AuthenticationProperties {
IsPersistent = true,
ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration)
};
await HttpContext.SignInAsync(userId, userName, props);
If you don't set IsPersistent=true then the cookie has session lifetime and you can set the contained authentication ticket expiration like this:
.AddCookie(options => {
options.Cookie.Name = "idsrv_identity";
options.ExpireTimeSpan = TimeSpan.FromHours(8);
options.SlidingExpiration = true;
});
Your client application: : ".AspNetCore.Cookies" cookie.
services.ConfigureApplicationCookie isn't called because if you use .AddCookie(...) this takes the precedence. The options are the same.
This set the app cookie as session.
.AddCookie(options => {
options.Cookie.Name = "myappcookie";
options.ExpireTimeSpan = TimeSpan.FromHours(8);
options.SlidingExpiration = true;
});
A way to make the app cookie persistent using OIDC is to set the expiration in the OnSigningIn event in AddCookie.
options.Events.OnSigningIn = (context) =>
{
context.CookieOptions.Expires = DateTimeOffset.UtcNow.AddDays(30);
return Task.CompletedTask;
};
A note about user session.
Every situation is different, so there isn't a best solution, but remember that you have to take care of two user session. One on the IS4 app and one on your client app. These can go out of sync. You need to think if a persistent user session on your client app make sense. You don't want that your user remains logged in your client app when the central SSO (single sign-on) session is expired.

After scrambled through the both AspNetCore 3.1 & IdentityServer 4.0.4 repo,
I found the working way to set default authentication cookie option .
TD;LR:
// in Startup.ConfigureService(IServiceCollection services)
services.PostConfigure<CookieAuthenticationOptions>(IdentityConstants.ApplicationScheme, option =>
{
option.Cookie.Name = "Hello"; // change cookie name
option.ExpireTimeSpan = TimeSpan.FromSeconds(30); // change cookie expire time span
});
Full Setup:
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddRazorPages();
// cookie policy to deal with temporary browser incompatibilities
services.AddSameSiteCookiePolicy();
services.AddDefaultAllowAllCors();
// setting up dbcontext for stores;
services.AddDbContext<ApplicationDbContext>(ConfigureDbContext);
services
.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
options.SignIn.RequireConfirmedAccount = true;
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultUI()
.AddDefaultTokenProviders();
// read clients from https://stackoverflow.com/a/54892390/4927172
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseSuccessEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.UserInteraction.LoginUrl = "/identity/account/login";
options.IssuerUri = _configuration.GetValue<string>("IdentityServer:IssuerUri");
})
.AddAspNetIdentity<ApplicationUser>()
.AddDeveloperSigningCredential()
.AddConfigurationStore<ApplicationConfigurationDbContext>(option => option.ConfigureDbContext = ConfigureDbContext)
.AddOperationalStore<ApplicationPersistedGrantDbContext>(option => { option.ConfigureDbContext = ConfigureDbContext; })
.AddJwtBearerClientAuthentication()
.AddProfileService<ApplicationUserProfileService>();
services.PostConfigure<CookieAuthenticationOptions>(IdentityConstants.ApplicationScheme, option =>
{
option.Cookie.Name = "Hello";
option.ExpireTimeSpan = TimeSpan.FromSeconds(30);
});
services.AddScoped<Microsoft.AspNetCore.Identity.UI.Services.IEmailSender, EmailSender>();
services.Configure<SmsOption>(_configuration);
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// use this for persisted grants store
InitializeDatabase(app);
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseDefaultAllowAllCors();
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseStatusCodePages(async context =>
{
var response = context.HttpContext.Response;
if (response.StatusCode == StatusCodes.Status401Unauthorized ||
response.StatusCode == StatusCodes.Status403Forbidden)
response.Redirect("/identity/account/login");
if (context.HttpContext.Request.Method == "Get" && response.StatusCode == StatusCodes.Status404NotFound)
{
response.Redirect("/index");
}
});
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
endpoints.MapRazorPages();
});
}

Adding this line before services.AddAuthentication is what worked for me eventually with IS4, taken from this github issue:
services.ConfigureApplicationCookie(x =>
{
x.ExpireTimeSpan = TimeSpan.FromDays(1);
});

I followed the sample AuthSamples.Cookies of the Github aspnetcore sources.
public void ConfigureServices(IServiceCollection services)
{
...
// Example of how to customize a particular instance of cookie options and
// is able to also use other services.
services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, ConfigureMyCookie>();
}
internal class ConfigureMyCookie : IConfigureNamedOptions<CookieAuthenticationOptions>
{
// You can inject services here
public ConfigureMyCookie()
{
}
public void Configure(string name, CookieAuthenticationOptions options)
{
// Identityserver comes with two cookies:
// Identity.Application
// Identity.External
// you can change the options here
{
options.ExpireTimeSpan = TimeSpan.FromHours(8);
}
}
public void Configure(CookieAuthenticationOptions options)
=> Configure(Options.DefaultName, options);
}

Related

Asp.net core Microsoft OIDC library OnAuthorizedCode recieved event getting fired twice

I have an OIDC application, which was giving me a correlation error for some time. We have managed to resolve it by passing the correlation cookie properly. Our infrastructure has the following network topology.
Openshift Container(OIDC App) -> Reverser Proxy/Api gateway -> Identity Provider.
If we use boilerplate code, the callback path picks up the host of open shift, hence the redirection not working correctly. We are now building the URL on the event onRedirectToIdentitityProvider.
We are also using OnAuthorizationCodeReceived event to make the /Token call as the default configuration was not working out.
We get callback properly with Authorization code but we see onAuthorizationCodeRecieved getting fired twice. This is happening only in the test environment with the reverse proxy setup. In the development box, there is no issue but it does not have the reverse proxy set up(Now, a reverse proxy is just a passthrough so not sure how that could break things).
Code Snippet Below
public void ConfigureServices(IServiceCollection services)
{
string _authorityAPI = Configuration.GetValue<string>("authority");
string _org = Configuration.GetValue<string>("orgDomain");
string clientId = Configuration.GetValue<string>("ClientId");
string clientSecret = Configuration.GetValue<string>("ClientSecret");
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
options.Secure = CookieSecurePolicy.Always;
options.HandleSameSiteCookieCompatibility();
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.LoginPath = "/Profile/Index/";
options.LogoutPath = "/Profile/Logout/";
})
.AddOpenIdConnect(options =>
{
options.ClientId = clientId;
options.ClientSecret = clientSecret;
options.Authority = Configuration.GetValue<string>("Authority");
options.CallbackPath = "/web/auth/callback";
options.ResponseType = OpenIdConnectResponseType.Code;
options.MetadataAddress = string.Format("{0}/.well-known/openid-configuration", _authorityAPI);
options.TokenValidationParameters.ValidateIssuer = false;
//options.GetClaimsFromUserInfoEndpoint = true;
options.RequireHttpsMetadata = true;
options.SaveTokens = true;
options.Scope.Add("openid");
options.Scope.Add("email");
options.Scope.Add("profile");
options.NonceCookie.SameSite = SameSiteMode.None;
options.CorrelationCookie.SameSite = SameSiteMode.None;
options.NonceCookie.Path = "/";
options.CorrelationCookie.Path = "/";
options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(options.MetadataAddress, new ApiGatewayRetriever(_authorityAPI, _org));
options.Events = new OpenIdConnectEvents()
{
OnRedirectToIdentityProvider = (context) =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
{
context.ProtocolMessage.Parameters.Clear();
context.ProtocolMessage.IssuerAddress = centralLogin + "?RedirectURL=https://" + GetRequestHostName(context, Configuration);
return Task.FromResult(0);
}
return Task.FromResult(0);
}
,
OnAuthorizationCodeReceived = authorizationCtx =>
{
try
{
BellLogger.WriteLog("OnAuthorizationCodeReceived start:" + authorizationCtx.TokenEndpointRequest.Code, Framework.Common.LogType.Info);
HttpClient httpClient = new HttpClient();
TokenClientOptions tokenClientOptions = new TokenClientOptions()
{
ClientId = clientId,
ClientSecret = clientSecret,
Address = string.Format("{0}/v1/token", _authorityAPI)
};
var tokenClient = new TokenClient(httpClient, tokenClientOptions);
var tokenResponse = await tokenClient.RequestAuthorizationCodeTokenAsync(authorizationCtx.TokenEndpointRequest.Code, authorizationCtx.TokenEndpointRequest.RedirectUri).Result;
authorizationCtx.HandleCodeRedemption(tokenResponse.AccessToken, tokenResponse.IdentityToken);
}
catch (Exception ex)
{
Logger.WriteLog(ex, Framework.Common.LogType.Error);
}
return Task.FromResult(0);
}
};
});
services.AddSession(options =>
{
options.Cookie.Name = ".lLogin.Session";
options.IdleTimeout = TimeSpan.FromSeconds(10);
options.Cookie.IsEssential = true;
});
services.ConfigureApplicationCookie(options =>
{
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
});
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.All;
});
services.AddControllersWithViews();
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
}
private void CheckSameSite(HttpContext httpContext, CookieOptions options)
{
if (options.SameSite == SameSiteMode.None)
{
var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
// TODO: Use your User Agent library of choice here.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6") || userAgent.Contains("Chrome/9"))
{
// For .NET Core < 3.1 set SameSite = (SameSiteMode)(-1)
options.SameSite = SameSiteMode.Unspecified;
}
}
}
app.UseHttpsRedirection();
app.UseStaticFiles();
//app.UseAntiXssMiddleware();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseRouting();
app.UseSession();
app.UseAuthorization();
app.UseForwardedHeaders();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
This may not be the answer to the above question, however we solved the problem.
We removed all the custom implementation of events including onAuthorizationCodeReceived.
The issue with the default configuration was, when the reverse proxy routes the call to the OCP environment, the host header was getting added as of the OCP. Reverse proxy added the header of the proper host and then everything started working fine. Host header was the important value.
This might be a redirect issue and it is worth understanding things in terms of URLs rather than C# code. A response to the authorization code flow looks something like this:
https://myapp.com?code=xxx&state=yyy
It is possible that the reverse proxy - or the web server - or the openid provider - expects the response to have (or not have) a trailing backslash. Eg the first URL causes a redirect to the second:
https://myapp.com?code=xxx&state=yyy
https://myapp.com/?code=xxx&state=yyy
I would put some log statements in OnAuthorizationCodeReceived and maybe also trace browser / HTTP traffic to see if this type of thing is happening.

Authentication in .NET Core 3.1: Default options provide too little control and don't work as expected

I am working with Identity and JWT auth in .NET Core 3.1. I will be adding Open Id in the future. The problem I am facing now is that I have too little control over the authentication pipeline. The pipeline makes some decisions for you, such as when to re-direct to the login. For example, for Identity authentication, when you emit a 401 status it will attempt to re-direct to /login - even if you specified a different page in the cookie configuration. Surprisingly, JWT auth has the same problem - even when the only policy supplied is the Bearer policy and the controller is tagged with the ApiController attribute.
[Authorize(AuthenticationSchemes = Schemes.Bearer)]
I want full control over the pipeline and the response. What is the best way to achieve this by utilizing as much of the built in tools as possible? I do not wish to write my own JWT validating code, rather use the validation as I configured it.
This is how I configure JWT. OnAuthenticationFailed. The callback to set the headers manually never runs.
//piranha
services.AddPiranha(options =>
{
options.UseFileStorage(naming: Piranha.Local.FileStorageNaming.UniqueFolderNames);
options.UseImageSharp();
options.UseManager();
options.UseTinyMCE();
options.UseMemoryCache();
options.UseEF<SQLiteDb>(db =>
db.UseSqlite("Filename=./Data/emurse-piranha.db"));
options.UseIdentityWithSeed<IdentitySQLiteDb>(db =>
db.UseSqlite("Filename=./Data/emurse-piranha.db"),
identityOptions =>
{
// Password settings
identityOptions.Password.RequireDigit = false;
identityOptions.Password.RequiredLength = 6;
identityOptions.Password.RequireNonAlphanumeric = false;
identityOptions.Password.RequireUppercase = false;
identityOptions.Password.RequireLowercase = false;
identityOptions.Password.RequiredUniqueChars = 1;
// Lockout settings
identityOptions.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
identityOptions.Lockout.MaxFailedAccessAttempts = 10;
identityOptions.Lockout.AllowedForNewUsers = true;
// User settings
identityOptions.User.RequireUniqueEmail = true;
},
cookieOptions =>
{
cookieOptions.Cookie.HttpOnly = true;
cookieOptions.ExpireTimeSpan = TimeSpan.FromMinutes(30);
cookieOptions.LoginPath = "/manager/login";
cookieOptions.AccessDeniedPath = "/manager/login";
cookieOptions.SlidingExpiration = true;
var defaultAction = cookieOptions.Events.OnRedirectToLogin;
cookieOptions.Events.OnRedirectToLogin = (context) =>
{
if (context.Request.Path.Value.StartsWith("/api"))
{
response.StatusCode = 401;
response.BodyWriter.WriteAsync(new ReadOnlyMemory<byte>
(Encoding.ASCII.GetBytes("unauthorized.")));
return Task.CompletedTask;
}
else
{
return defaultAction(context);
}
};
});
//turn off for prod
options.AddRazorRuntimeCompilation=true;
});
//JWT
services.AddAuthentication(Schemes.Bearer)
.AddApplicationJwt(Configuration);
public static AuthenticationBuilder AddApplicationJwt(this AuthenticationBuilder builder, IConfiguration config)
{
builder.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
var issuer = config["Jwt:Issuer"];
var key = config["Jwt:Key"];
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = issuer,
ValidAudience = issuer,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
};
//Never executes
options.Events= new JwtBearerEvents()
{
OnAuthenticationFailed = ((context) => {
response.StatusCode = 401;
response.BodyWriter.WriteAsync(new ReadOnlyMemory<byte>
(Encoding.ASCII.GetBytes("unauthorized.")));
return Task.CompletedTask;
}),
};
});
return;
}
The app is then configured using mostly default options:
app.UseAuthorization();
app.UsePiranha(options =>
{
options.UseTinyMCE();
//default Auth middleware
options.UseIdentity();
app.UseCors(x => x
.AllowAnyMethod()
.AllowAnyHeader()
.SetIsOriginAllowed(origin => true) //TODO: remove for production
.AllowCredentials());
//use Piranha manager
options.UseManager();
});
Thanks to #Xerillio, I've figured out the root cause of my problem. After digging into the source code, I had a better understanding of what the extension methods are doing under the hood.
UseAuthentication adds the Authentication middleware. But UseIdentity also does this, and UseIdentity is obsolete. Infact, ALL UseIdenitity does is call UseAuthentication.
app.UseStaticFiles();
app.UsePiranha();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UsePiranhaIdentity();
//TODO: remove for production
app.UseCors(x => x
.AllowAnyMethod()
.AllowAnyHeader()
.SetIsOriginAllowed(origin => true)
.AllowCredentials());
app.UsePiranhaManager();
app.UsePiranhaTinyMCE();

ASP.Net Core application redirecting to /Account/Login even after implementing IdentityServer

I have created a simple Identity Server and now trying to authenticate a .Net Core application.
Even after configuring the Startup.cs, when I run the solution, the system is still navigating to /Account/Login;
I am expecting the system to navigate to Identity Server.
Below is my Startup.cs code.
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultAuthenticateScheme = "oidc";
}).AddCookie(options =>
{
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.Name = "identitycookie";
}).AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:44123/identity";
options.ClientId = "wp7jfcxEHaRE8DUIZka";
options.ResponseType = "id_token token";
options.SaveTokens = true;
options.SignInScheme = "Cookies";
options.Configuration = new OpenIdConnectConfiguration
{
AuthorizationEndpoint =
"https://localhost:44123/identity/connect/authorize",
TokenEndpoint =
"https://localhost:44123/identity/connect/token"
};
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc();
}
Could somebody let me know what I am doing wrong.
Thanks in advance
Use below code :
options.DefaultChallengeScheme = "oidc";
Instead of :
options.DefaultAuthenticateScheme = "oidc";
That will challenge oidc scheme and make user redirect to an external authentication provider.
Solution by Nan Yu works well.
An alternative is to set CookieAuthenticationOptions.ForwardChallenge. This way, even if Challenge is triggered on default "Cookies" scheme, it will be forwarded to "oidc" scheme:
.AddCookie(options =>
{
// [...]
options.ForwardChallenge = "oidc";
})

Asp.net Core 2 with IdentityServer4 - Redirect to Login after cookie expiration

I have an Asp.net Core 2.2 MVC application that authenticates using an IdentityServer4 server.
It is configured as you can see on the bottom, with really short times for quick testing.
The desired behavior is:
Login (suppose without the "remember me checked")
Do things...
Wait until the session expires
On the next navigation click redirect on the login page for a new interactive sign-in
I supposed I must work on cookies and session server side, but my first doubt is that I have to work more with id_token.
Anyway the current behavior is:
Login without the "remember me checked"
Wait until the session expires
Click on a dummy page and I see that the session is empty (as expected) -> The login is available on the top menu
So I click on login -> No login page showed -> a new session server side is available and in the browser there is a new value of ".AspNetCore.Cookies" but the same for ".AspNetCore.Identity.Application" and "idsrv.session".
If I logout, the cookie client side is correctly removed, so at the next login shows the expected credential form.
What I'm doing wrong?
Is it correct to try to get a new interactive sign-in checking the cookie expiration?
Do I have to follow another way working on the ids (id_token) objects?
CODE
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton<IConfiguration>(Configuration);
services.Configure<CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.None;
});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options =>
{
options.SlidingExpiration = true;
options.ExpireTimeSpan = TimeSpan.FromSeconds(30);
})
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = Configuration.GetValue<string>("IdentitySettings:Authority");
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.SaveTokens = true;
options.Events.OnTicketReceived = async (context) =>
{
context.Properties.ExpiresUtc = DateTime.UtcNow.AddSeconds(30);
};
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment() || env.IsStaging())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
}
app.UseAuthentication();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
EDIT
The logout is done as following
public async void OnPost()
{
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc",
new AuthenticationProperties
{
RedirectUri = "http://localhost:5002"
});
}

_signInManager.GetExternalLoginInfoAsync() always returns null with open id to azure ad

Why does the signinmanager getexternallogininfoasync method always returning null?
I am using VS2015 with the default asp.net core (not framework) project for MVC with individual user accounts (this is a requirement). The purpose of using third party login is to allow users to self register. Role based authorization will be handled by asp.net identity using the identity provided from registering through Azure AD.
Correct me if the following interpretation of the signin in manager is incorrect. This method should provide details on the external login and return a claimsprincipal object which contains the claims provided by the user by the identity provider.
I have used the following guide for setting up OpenIdConnectAuthentication in my Startup.cs (class section below)
https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-openidconnect/
When I launch the external login provider, it directs me to the organization login page and succeeds.
However the variable info which should be populated by the signinmanager method is null
if I put a breakpoint into the callback class the User is populated and the IsAuthenticated variable is true.
I could drive the functionality of allowing the user to register in the app myself, however, this is my first attempt at implementing third party login and I would like to understand what I am doing wrong as this point.
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
// Add framework services.
services.AddApplicationInsightsTelemetry(Configuration);
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
// Add Authentication services.
services.AddAuthentication(sharedOptions => {
sharedOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});
//services.AddDistributedMemoryCache();
//services.AddSession();
services.AddMvc();
// Add application services.
services.AddTransient<IEmailSender, AuthMessageSender>();
services.AddTransient<ISmsSender, AuthMessageSender>();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseApplicationInsightsRequestTelemetry();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseApplicationInsightsExceptionTelemetry();
app.UseStaticFiles();
app.UseIdentity();
// Configure the OWIN pipeline to use cookie auth.
app.UseCookieAuthentication( new CookieAuthenticationOptions());
//Add external authentication middleware below.To configure them please see http://go.microsoft.com/fwlink/?LinkID=532715
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,
CallbackPath = "/signin-oidc",
ClientId = Configuration["AzureAD:ClientId"],
Authority = String.Format(Configuration["AzureAd:AadInstance"], Configuration["AzureAd:Tenant"]),
ResponseType = OpenIdConnectResponseType.IdToken,
PostLogoutRedirectUri = Configuration["AzureAd:PostLogoutRedirectUri"],
Events = new OpenIdConnectEvents
{
//OnRemoteFailure = OnAuthenticationFailed,
}
});
//app.UseSession();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
External Login
public IActionResult ExternalLogin(string provider, string returnUrl = null)
{
// Request a redirect to the external login provider.
var redirectUrl = Url.Action("ExternalLoginCallback", "Account", new { ReturnUrl = returnUrl });
var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
return Challenge(properties, provider);
}
There have been multiple reported issues with this method producing a null value in the past. This does not happen with any of the supported authentication methods that are supplied out of the box. This is a problem at least with using OAuth with azure AD and following the supplied method in the post. However, there is a workaround that still allows for the use of the default project type. Simply replace the method that produces the ExternalLoginInfo variable (info) with a roll your own ExternalLoginInfo class constructed using the User principle.
ExternalLoginInfo info = new ExternalLoginInfo(User,
"Microsoft",
User.Claims.Where(x=>x.Type== "http://schemas.microsoft.com/identity/claims/objectidentifier").FirstOrDefault().Value.ToString(),
"Microsoft" );
ASP.NET MVC 5 (VS2013 final): Facebook login with OWIN fails (loginInfo is null)
MVC 5 Owin Facebook Auth results in Null Reference Exception
http://blogs.msdn.com/b/webdev/archive/2013/10/16/get-more-information-from-social-providers-used-in-the-vs-2013-project-templates.aspx
I had a similar problem using the OpenIdConnect middleware - I finally fixed it by changing ResponseType to OpenIdConnectResponseType.CodeIdToken (it was being set to 'Code').
Here's a link to my Startup.Auth.vb source:
OWIN OpenID provider - GetExternalLoginInfo() returns null
In my case, I needed to explicitly pass null for cookieScheme when adding it on startup, as discussed in this github issue: https://github.com/AzureAD/microsoft-identity-web/issues/133
services.AddAuthentication(idp.LoginProvider).AddMicrosoftIdentityWebApp(
o => {
o.Instance = config.Instance;
o.Domain = config.Domain;
o.ClientId = config.ClientId;
o.TenantId = config.TenantId;
o.CallbackPath = config.CallbackPath;
o.SignInScheme = IdentityConstants.ExternalScheme;
o.SignOutScheme = IdentityConstants.ExternalScheme;
},
openIdConnectScheme: idp.LoginProvider,
cookieScheme: null // YAR
);
Try after removing SignInScheme
In my case I'm using Github's OAuth to log in. I had to add two things in order for the _signinManager.GetExternalLoginInfoAsync() to not return null and for the [Authorize] attribute to work for users who log in using Github.
I had to add this for Authentication:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// options.DefaultChallengeScheme = "oidc";
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,
options =>
{
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
options.Cookie.IsEssential = true;
});
And then inside the section where I'm actually adding the Github oauth, I had to add the following:
options.SignInScheme = "Identity.External";
So the whole section for Github oauth for me looks like this:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// options.DefaultChallengeScheme = "oidc";
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,
options =>
{
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
options.Cookie.IsEssential = true;
});
services.AddAuthentication().AddOAuth("GitHub", options =>
{
var key = _env.EnvironmentName == Production ? "GitHubProd" : "GitHub";
options.ClientId = Configuration[$"{key}:ClientId"];
options.ClientSecret = Configuration[$"{key}:ClientSecret"];
options.CallbackPath = new PathString("/github-oauth");
options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize";
options.TokenEndpoint = "https://github.com/login/oauth/access_token";
options.UserInformationEndpoint = "https://api.github.com/user";
options.SaveTokens = true;
options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
options.ClaimActions.MapJsonKey(ClaimTypes.Name, "name");
options.ClaimActions.MapJsonKey("urn:github:login", "login");
options.ClaimActions.MapJsonKey("urn:github:url", "html_url");
options.ClaimActions.MapJsonKey("urn:github:avatar", "avatar_url");
options.Scope.Add("repo");
options.Scope.Add("repo_deployment");
options.Scope.Add("repo:status");
options.Scope.Add("write:repo_hook");
options.Scope.Add("read:repo_hook");
options.Scope.Add("notifications");
options.Scope.Add("read:repo_hook");
options.Scope.Add("user");
// NEW LINE HERE
options.SignInScheme = "Identity.External";
// save oauth token to cookie
options.Events = new OAuthEvents
{
OnCreatingTicket = async context =>
{
var request = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint);
request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken);
var response = await context.Backchannel.SendAsync(request,
HttpCompletionOption.ResponseHeadersRead, context.HttpContext.RequestAborted);
response.EnsureSuccessStatusCode();
var json = JsonDocument.Parse(await response.Content.ReadAsStringAsync());
context.RunClaimActions(json.RootElement);
}
};
});
why aren't you using the built in microsoftaccountauthentication. There is a tutorial on that here.
https://www.benday.com/2016/05/14/walkthrough-asp-net-core-1-0-mvc-identity-with-microsoft-account-authentication/
This is similar to the google and Facebook authorization classes.