I have a user info endpoint in my webapi which is protected by [Authorize] and the cookie authentication. If the designated cookie is not present then the user is redirected to /account/login, which looks something like below.
var WindowsAuthenticationSchemeName = Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme;
try
{
var result = await HttpContext.AuthenticateAsync(WindowsAuthenticationSchemeName);
if (!(result?.Principal is WindowsPrincipal wp)) { throw new InvalidCredentialException("Expected windows principal"); }
var claims = Build_Claim_Set_Here;
var id = new ClaimsIdentity(claims, WindowsAuthenticationSchemeName);
await HttpContext.SignInAsync(new ClaimsPrincipal(id));
return Redirect(returnUrl);
}
catch (Exception ex)
{
return Challenge(WindowsAuthenticationSchemeName);
}
Note that I have not specified any scheme name in the SignInAsync request. As my default authentication scheme is cookie scheme, I want that to be used here.
After that a redirect response is sent to the browser (in this case, the returnUrl would be the user info endpoint. The windows authentication (with prompt in browser), and redirection to the user info endpoint works quite well.
The problem is that the cookies sent to the browser is not saved in browser and thus not sent with the subsequent request. The claims stored in the cookie is essential for the user info endpoint. Note that the cookie is visible in browser in response header, and the size is way below 4096 byte, which is often the upper limit of the cookie size. Thus, it is unclear to me why the cookie is not saved by the browser.
Is there anything I am missing?
Update: My bad, it turned out to be a typo in domain name. As the cookie is same-site cookie, the cookie is neither saved for the application nor sent with the subsequent request.
