0

Im migrating several applications from Identity to IdentityServer4

Some are .net core 3.1 and are set up like the documents https://identityserver4.readthedocs.io/en/latest/quickstarts/2_interactive_aspnetcore.html#creating-an-mvc-client

services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = "https://localhost:5001";

        options.ClientId = "mvc";
        options.ClientSecret = "secret";
        options.ResponseType = "code";

        options.SaveTokens = true;
    });

and some are .net and use Owin and are set up like this article https://www.scottbrady91.com/ASPNET/Refreshing-your-Legacy-ASPNET-IdentityServer-Client-Applications In the section "Authorization Code with PKCE - 2020"

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "cookie"
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = "mvc.owin",
            Authority = "http://localhost:5000",
            RedirectUri = "http://localhost:5001/",
            Scope = "openid profile api1",

            SignInAsAuthenticationType = "cookie",

            RequireHttpsMetadata = false,
            UseTokenLifetime = false,

            RedeemCode = true,
            SaveTokens = true,
            ClientSecret = "secret",

            ResponseType = "code",
            ResponseMode = "query",

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = n =>
                {
                    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                    {
                        // generate code verifier and code challenge
                        var codeVerifier = CryptoRandom.CreateUniqueId(32);

                        string codeChallenge;
                        using (var sha256 = SHA256.Create())
                        {
                            var challengeBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(codeVerifier));
                            codeChallenge = Base64Url.Encode(challengeBytes);
                        }
    
                        // set code_challenge parameter on authorization request
                        n.ProtocolMessage.SetParameter("code_challenge", codeChallenge);
                        n.ProtocolMessage.SetParameter("code_challenge_method", "S256");

                        // remember code verifier in cookie (adapted from OWIN nonce cookie)
                        // see: https://github.com/scottbrady91/Blog-Example-Classes/blob/master/AspNetFrameworkPkce/ScottBrady91.BlogExampleCode.AspNetPkce/Startup.cs#L85
                        RememberCodeVerifier(n, codeVerifier);
                    }

                    return Task.CompletedTask;
                },
                AuthorizationCodeReceived = n =>
                {
                    // get code verifier from cookie
                    // see: https://github.com/scottbrady91/Blog-Example-Classes/blob/master/AspNetFrameworkPkce/ScottBrady91.BlogExampleCode.AspNetPkce/Startup.cs#L102
                    var codeVerifier = RetrieveCodeVerifier(n);

                    // attach code_verifier on token request
                    n.TokenEndpointRequest.SetParameter("code_verifier", codeVerifier);

                    return Task.CompletedTask;
                }
            }
        });

So NetCoreApp1 NetCoreApp2 NetOwinApp1 NetOwinApp2

If I open a browser and launch NetCoreApp1 it asks me to login and all works fine

If I change the url to point to NetCoreApp2 it realises Im authenticated and launches straight away

If I change the url and launch NetOwinApp1 it realises Im authenticated and launches straight away

If I change the url and relaunch NetCoreApp1 it goes into a redirect loop

It appears that if a .NET Core Client is launched after a .NET Owin App Client it goes into a loop even though they are fine running individually and fine following an app of the same type

Does anybody have any clues what is happening? Ive been trying to understand the cookies and my hunch was it was something to do with the samesite restrictions but im at a loss as how to get to the bottom of it

Thanks

hmmm..
  • 13
  • 2
  • The following article is somewhat lengthy but I think it may describe the redirect loop you are seeing. https://www.blinkingcaret.com/2016/01/20/authorization-redirect-loops-asp-net-mvc/ – David Tansey Mar 05 '21 at 01:38
  • Hi, I dont really see how this is relevant - the user **is** authenticated and authorized to use each application – hmmm.. Mar 05 '21 at 08:59
  • The key factor in the article I posted relates to ROLES -- if you are *not* using ROLES then you can probably ignore the article. If are using ROLES then I would make certain that you fully understand what the article is describing as the subtle cause of the redirect loop -- look for the paragraph that starts with the sentence _"Do you see where the redirect loop happens yet? "_ The following sentence is: _"It happens because the default behaviour when using the Authorize attribute in ASP.NET is to issue a 401 when the user is not authorized (even if the user is authenticated)."_ – David Tansey Mar 06 '21 at 00:22

0 Answers0