I am attempting to migrate from Forms Authentication / Membership to asp.net identity.
One issue I have encountered: If I set the LoginPath to "/account/", logged out users end up with an infinite redirect loop (not really; it keeps extending the returnURL until the server blocks the request for having an overly long query string). This occurs on /account/, but /account/default.aspx is accessible to logged out users. I believe that the issue is that somehow default documents are treated differently by the OWIN middleware than they are by forms authentication/IIS. Currently, "default.aspx" is configured as a Default Document.
I tried setting using UseFileServer to set DefaultFileNames to include "default.aspx", but this did not seem to help. I also tried using path="." inheritInChildApplications=false" instead of path="default.aspx", but this caused a, "Config section 'system.web/authorization' already defined" exception, presumably because it overlapped with the previous system.web declaration.
I realize that there are several possible work-arounds:
- tolerate
default.aspxin the path: - use
MapPageRoutesinstead of relying on default pages - set the web.config to allow /account and then use location path to manually disable every subdirectory
Is there a way to convince Microsoft Identity that loading /account/ does not require authentication without using the workarounds in the bullet points above?
public void Configuration(IAppBuilder app)
{
app.UseFileServer(new FileServerOptions() {
DefaultFilesOptions = {DefaultFileNames = {"default.aspx"}}});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/account/")
});
}
<!--/account/web.config-->
<configuration>
<system.web>
<authorization>
<allow roles="activeuser" />
<deny users="*" />
</authorization>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
