0

I need help configuring my asp.net application using cookie authentication. This is what my configuration looks like:

public void ConfigureAuth(IAppBuilder app)
{
    app.CreatePerOwinContext(ApplicationDbContext.Create);
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

    app.UseCookieAuthentication(new CookieAuthenticationOptions()
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        CookieSecure = CookieSecureOption.SameAsRequest,
    });

    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

    PublicClientId = "self";
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/Token"),
        Provider = new ApplicationOAuthProvider(PublicClientId),
        AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
        AllowInsecureHttp = true
    };

    app.UseOAuthBearerTokens(OAuthOptions);
}

My login api route is:

[Route("Login")]
[HttpPost]
[AllowAnonymous]
public IHttpActionResult Login(RegisterBindingModel model)
{
    var user = UserManager.Find(model.Username, model.Password);

    if (user != null)
    {
        Authentication.SignOut();
        var identity = UserManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);
        identity.AddClaim(new Claim(ClaimTypes.Role, "IsAdmin"));
        Authentication.SignIn(new AuthenticationProperties() { IsPersistent = true }, identity);

        return Ok("Success");
    }

    return Ok();
}

Calling login returns a cookie named .AspNet.ApplicationCookie but when I call the logout action:

[Route("Logout")]
[HttpPost]
public IHttpActionResult Logout()
{               
    Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
    return Ok();
}

I get the following error: Authorization has been denied for this request

What am I doing wrong?

Note: I decorated the controller with the [Authorize] attribute

Draco
  • 16,156
  • 23
  • 77
  • 92
  • Do you have 2 different project for MVC and WebAPI in that case check my answer here - http://stackoverflow.com/questions/38424518/use-web-api-cookie-for-mvc-cookie/38428420#38428420 . BTW is your problem only with logout or all the controllers that is decorated with [Authorize] attribute – Ravi A. Sep 12 '16 at 13:17
  • Your comment made me look at my Web API config settings only to realize that it was only configured to allow bearer tokens. I removed the call to SuppressDefaultHostAuthentication and everything works fine now. Thanks for pointing me in the right direction. – Draco Sep 12 '16 at 15:00
  • Oh yeah the default template always have that. Glad you figured out. – Ravi A. Sep 12 '16 at 15:22

2 Answers2

2

Looking at my Web API config settings only to realize that it was only configured to allow bearer tokens. I removed the call to SuppressDefaultHostAuthentication and everything works fine now.

Draco
  • 16,156
  • 23
  • 77
  • 92
0

Please check your global.asax.cs()-there we have to register GlobalFilters

protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
        }
Shamseer K
  • 4,964
  • 2
  • 25
  • 43