ASP.NET Automatic redirect OWIN configuration

thisisntjared · October 18, 2021, 4:51pm

Using the quick starts it is very easy to configure my suite of applications that are built on ASP.NET MVC or API to redirect to okta to authenticate. Unfortunately, for a set of my WebForms applications, I am not able to plumb up the startup.cs to automatically challenge using oidc in the event that a user is not authenticated.

We have done this before using plain old cookie auth with a CookieAuthenticationProvider that highjacked OnApplyRedirect:

        private CookieAuthenticationProvider BuildCookieAuthenticationProvider()
        {
            //swap out the Action to hack the context while maintaining the default action
            var provider = new CookieAuthenticationProvider();
            var defaultApplyRedirect = provider.OnApplyRedirect;
            provider.OnApplyRedirect = context =>
            {
                //TODO might not want to do this here, not sure if it is better suited in authorize middleware
                if (context.OwinContext.Authentication.User.Identity.IsAuthenticated)
                {
                    context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                    context.RedirectUri = "/Error.aspx";
                }
                else
                {
                    context.RedirectUri = _authProviderUrl
                                          + context.Options.LoginPath + new QueryString(context.Options.ReturnUrlParameter, context.Request.Uri.ToString());
                }

                defaultApplyRedirect(context);
            };

            return provider;
        }

Is a more native way to do this in ASP.NET for oidc particularly using the okta nuget packages?

thisisntjared · October 18, 2021, 6:43pm

I should add that the web.config protection is performed at a minimum of deny anonymous users:

    <authentication mode="None" />
    <authorization>
      <deny users="?" />   
    </authorization>

thisisntjared · November 10, 2021, 8:21pm

Is the above really the best way to redirect to the authentication provider in ASP.NET webforms?

thisisntjared · February 8, 2022, 5:52pm

Long story short: including the stage marker for authentication synced up the execution of the okta oidc middleware with the default CookieAuthenticationOptions. So no overriding OnApplyRedirect on the CookieAuthenticationProvider.

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOktaMvc(new OktaMvcOptions()
            {
                OktaDomain = OidcDomain,
                ClientId = ClientId,
                ClientSecret = ClientSecret,
                AuthorizationServerId = AuthorizationServerId,
                RedirectUri = RedirectUri,
                PostLogoutRedirectUri = PostLogoutRedirectUri,
                GetClaimsFromUserInfoEndpoint = GetClaimsFromUserInfoEndpoint,
                Scope = new List<string> {  "profile" }, 
            });
            //Use a stage marker to force the above middleware to execute during Authentication 
            //so that an oidc token is loaded before we LoadPrincipal in PostAuthenticate where a challenge may be issued
            app.UseStageMarker(PipelineStage.Authenticate);

system · February 9, 2022, 5:52pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.