ASP.NET Automatic redirect OWIN configuration

Questions
1

Using the quick starts it is very easy to configure my suite of applications that are built on ASP.NET MVC or API to redirect to okta to authenticate. Unfortunately, for a set of my WebForms applications, I am not able to plumb up the startup.cs to automatically challenge using oidc in the event that a user is not authenticated.

We have done this before using plain old cookie auth with a CookieAuthenticationProvider that highjacked OnApplyRedirect:

        private CookieAuthenticationProvider BuildCookieAuthenticationProvider()
        {
            //swap out the Action to hack the context while maintaining the default action
            var provider = new CookieAuthenticationProvider();
            var defaultApplyRedirect = provider.OnApplyRedirect;
            provider.OnApplyRedirect = context =>
            {
                //TODO might not want to do this here, not sure if it is better suited in authorize middleware
                if (context.OwinContext.Authentication.User.Identity.IsAuthenticated)
                {
                    context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                    context.RedirectUri = "/Error.aspx";
                }
                else
                {
                    context.RedirectUri = _authProviderUrl
                                          + context.Options.LoginPath + new QueryString(context.Options.ReturnUrlParameter, context.Request.Uri.ToString());
                }

                defaultApplyRedirect(context);
            };

            return provider;
        }

Is a more native way to do this in ASP.NET for oidc particularly using the okta nuget packages?

2

I should add that the web.config protection is performed at a minimum of deny anonymous users:

    <authentication mode="None" />
    <authorization>
      <deny users="?" />   
    </authorization>
3

Is the above really the best way to redirect to the authentication provider in ASP.NET webforms?

5

Long story short: including the stage marker for authentication synced up the execution of the okta oidc middleware with the default CookieAuthenticationOptions. So no overriding OnApplyRedirect on the CookieAuthenticationProvider.

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOktaMvc(new OktaMvcOptions()
            {
                OktaDomain = OidcDomain,
                ClientId = ClientId,
                ClientSecret = ClientSecret,
                AuthorizationServerId = AuthorizationServerId,
                RedirectUri = RedirectUri,
                PostLogoutRedirectUri = PostLogoutRedirectUri,
                GetClaimsFromUserInfoEndpoint = GetClaimsFromUserInfoEndpoint,
                Scope = new List<string> {  "profile" }, 
            });
            //Use a stage marker to force the above middleware to execute during Authentication 
            //so that an oidc token is loaded before we LoadPrincipal in PostAuthenticate where a challenge may be issued
            app.UseStageMarker(PipelineStage.Authenticate);
6

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.