What is the correct way to trigger OWIN cookie middleware set to passive authentication mode?

Question

I have been following the OAuth 2.0 Authorization Server sample code http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

As well as looking at the nugget package Microsoft.aspnet.identity.samples package (install-package Microsoft.aspnet.identity.samples -Pre)

and am trying to get my head around how passive vs. active cookie middleware works.

In the Authorization server example, the "Application" cookie is set to passive. In the Identity samples, "ApplicationCookie" is active.

When I read about this property, it explains that passive middleware is only triggered when requested by a matching AuthenticationType.

If I edit the startup.auth.cs file in the Microsoft.aspnet.identity.samples and set the application cookie to passive, then log in, it seems to validate, but doesn't log me in.

Digging deeper into the code, I see that the account controller boil down to a call to SignInHelper.SignInAsync

This method gets a claimsidentity from the user which is a call to: CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie)

I am obviously not understanding something, since from what I read and can tell, the cookie has the same AuthenticationType as the Claim, but when the Authentication.SignIn is called, the Cookie doesn't seem to get set and I am returned to the main page with options to register and login.

To duplicate the issue, start a new project empty asp.net application, then install the Identity sample package, then change startup.auth.cs's app.useCookieAuthentication to:

app.UseCookieAuthentication(new CookieAuthenticationOptions {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });

I have tried changing the cookie name in the startup.auth.cs and adding the "custom" name to the code that generates the claim to no avail.

I am going to keep researching, but thought I would reach out to the community in the meantime.

score 3 · Answer 1 · answered May 03 '14 at 01:14

I'm not sure of the exact question you have.

OWIN is a pipeline that runs all the middleware modules registered. You can have multiple authentication types of middleware registered.

The cookie decrypts to the identity. If you change the authentication type to external bearer it will be a bearer token in the cookie.

I'm not sure why its not working for you, this is what I use. (I haven't looked at the external logins of the template)

   // Enable the application to use a cookie to store information for the signed in user
  app.UseCookieAuthentication(new CookieAuthenticationOptions
            {   
                //just to show bearer
                AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
                LoginPath = new PathString("/Account/Login"),
             }

Good explanation of active vs. passive, from Mr. Brock Allen himself.

Active vs Passive authentication middleware

One question that arises — if the new templates have multiple OWIN authentication middleware configured, then which one is really used? Well, OWIN authentication middleware has the concept of passive vs. active. Active middleware always look at every incoming request and attempt to authenticate the call and if successful they create a principal that represents the current user and assign that principal to the hosting environment. Passive middleware, on the other hand, only inspects the request when asked to. In the case of the default templates from Visual Studio 2013, all the middleware configured are all passive by default, except for the “main” cookie authentication middleware (turns out there are two cookie middlewares that get used in some templates — the main one and another one for external identity providers and this other one is marked as passive).

Hi William, Thanks for the this. I have read through Brock Allen's blog and posts on this a few times and am essentially trying to figure this statement out: "Passive middleware, on the other hand, only inspects the request when asked to." It seems the way to ask it to is to indicate the AuthenticationType, IE: WHen you create a claimsidentity you can pass it an authenticationtype. however when I do this, all my authentication code succeeds, but the cookie isn't set. I am trying to figure out what I need to do manually that active middleware does automatically. — Steve, May 03 '14 at 13:32
To add to the above, I know that when I change the line in the code in my post AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive to AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active everything works the same way except with Active the cookie is set after the authentication and I am logged in. Passive everything works but not cookie is set. I am trying to determine what a developer needs to do to trigger the cookie generation like an Active middleware would. — Steve, May 03 '14 at 13:38
Calling SignIn with a claims identity is what triggers the cookie generation, the active/passive mode should not affect the cookie generation at all I don't think — Hao Kung, May 05 '14 at 16:28
I'm having the problem. I use Bearer Token authentication for API calls, but also want to use Cookies to secure PDF resources. Bearer Token authentication works, I've followed at least a dozen examples of using OWIN Cookie Authentication, but I can't get the server to generate a cookie :s — SomethingOn, Nov 16 '15 at 18:35

score 1 · Answer 2 · answered Aug 17 '20 at 08:46

I arrived here because I was asking the same question. It turns out there is no correct way because it cannot be done. The Authentication middleware calls the "Invoke" method to test whether it should do anything in passive mode. In middleware such as the OpenIdConnect middleware, this method is over-ridden such that it checks the request path, and if it's the Options.RedirectUri then the the middleware does something, sets up the Response object to do something like a redirect and returns "true" to indicate that the request has been handled, and then the middleware stack is unwound and the response processed. The CookieAuthenticationMiddleware's Invoke method does nothing, it only returns 'false', which means that control is passed to the next middleware in the chain. So, the result is that CookieAuthenticationMiddleware cannot be used for authentication in passive mode. I found this blog post really helpful: https://chris.59north.com/post/Understanding-OWIN-(Katana)-Authentication-Middleware . Also, take a look at the Katana source code: https://github.com/aspnet/AspNetKatana

score 0 · Answer 3 · edited Oct 23 '17 at 13:59

0

page works fine when i comment below coding.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{

AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,

//LoginPath = new PathString("/Login"),

Provider = new CookieAuthenticationProvider(),

CookieName = "DefaultAuthenticationTypes",

CookieHttpOnly = true,              
ExpireTimeSpan = TimeSpan.FromHours(cookieActiveTime),

});

.

edited Oct 23 '17 at 13:59

Nigel Ren

56,122
11
43
55

answered Oct 23 '17 at 13:30

Ramachandran

41
2

hmmm, maybe. So ? – Mathieu VIALES Oct 23 '17 at 13:50

What is the correct way to trigger OWIN cookie middleware set to passive authentication mode?

3 Answers3