0

I have Three application viz(IdentityServer4 App, .Net Core2.0 WebApp, .NetCore2.0 WebAPI)

When I open the webapp if its un-authenticated, It gets navigated to identity server where I supply the credentials. After successful authentication it navigates back to webapp with the required cookies in place. Things are fine till here.

Now within webapp I am making calls to webapi (with cookies set by identity server in webapp) but each time it returns as 401 unauthorized.

Code sample in webapp:

services.AddAuthentication(options =>
   {
      options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
  })
  .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, o =>
        {
            o.Cookie.Name = Config.CookieName;
            o.Cookie.SameSite = SameSiteMode.None;
        })
  .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
        {
            options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

            options.Authority = Config.IdentityUrl;
            options.RequireHttpsMetadata = false;
            options.ClientId = Config.ClientId;
            options.SaveTokens = true;
        });

And Code sample used in WebAPI in configure service method ConfigureServices:

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, o => {
    o.Cookie.Name = Config.CookieName;
    o.Cookie.SameSite = SameSiteMode.None;
    o.Events = new CookieAuthenticationEvents()
    {
        OnRedirectToLogin = redirectContext =>
        {
            redirectContext.HttpContext.Response.StatusCode = StatusCodes.Status401Unauthorized;
            return Task.CompletedTask;
        }
    };
})
.AddIdentityServerAuthentication(options =>
{
    options.Authority = Config.IdentityUrl;
    options.RequireHttpsMetadata = false;
    options.ApiName = Config.ApiName;
});

also I have app.UseAuthentication() method in Configure method

What I get a feeling of it has to do with something session-id may be. If so it the case please help if not then what you could make out as not doing right please help.

I traced log it shows just following thing in there:

Cookie was not authenticated. Failure Message: Unprotect ticket failed.

Authentication Cookie was chanllenged.

Any help would be appreciated.

C For Code
  • 73
  • 10
  • I struggled with this too until i found this: https://stackoverflow.com/a/61966795/5591146 - hope it help!! – 93Ramadan Aug 07 '22 at 01:03

1 Answers1

0

Here is the magical line of code.Added in

ConfigureServices

method before

services.AddAuthentication

This was reason because of which cookie was not getting validated.

services.AddDataProtection().PersistKeysToFileSystem(PersistKeysLocation.GetKeyRingDirInfo()) .SetApplicationName(Config.ApplicationName);

C For Code
  • 73
  • 10