Cookies or Identity not being processed?

ehs_ziluckm · April 27, 2018, 6:24pm

Hello World!

I am working on a project that uses Okta Authentication for MVC and ASP.NET. Right now I have the system set up almost identically to the demo. When I sign in, a cookie is made and added to the browser, but for some reason, the application does not properly recognize the user as logged in.

Below is the code I use for Startup.cs, but I can’t figure out for the life of me what the problem is. My entire team has been trying to figure out what’s wrong for almost a day now and we’re stumped. Does anyone have any thoughts?

public class Startup
{
    // These values are stored in Web.config. Make sure you update them!
    private readonly string clientId = ConfigurationManager.AppSettings["okta:ClientId"];
    private readonly string redirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"];
    private readonly string authority = ConfigurationManager.AppSettings["okta:OrgUri"] ;
    private readonly string clientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"];
    private readonly string postLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"];

    /// <summary>
    /// Configure OWIN to use OpenID Connect to log in with Okta.
    /// </summary>
    /// <param name="app"></param>
    public void Configuration(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            ClientSecret = clientSecret,
            Authority = authority,
            RedirectUri = redirectUri,
            ResponseType = OpenIdConnectResponseType.CodeIdToken,
            Scope = OpenIdConnectScope.OpenIdProfile,
            PostLogoutRedirectUri = postLogoutRedirectUri,
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            },

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthorizationCodeReceived = async n =>
                {
                    // Exchange code for access and ID tokens
                    var tokenClient = new TokenClient(authority + "/v1/token", clientId, clientSecret);
                    var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, redirectUri);

                    if (tokenResponse.IsError)
                    {
                        throw new Exception(tokenResponse.Error);
                    }

                    var userInfoClient = new UserInfoClient(authority + "/v1/userinfo");
                    var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
                    var claims = new List<Claim>();
                    claims.AddRange(userInfoResponse.Claims);
                    claims.Add(new Claim("id_token", tokenResponse.IdentityToken));
                    claims.Add(new Claim("access_token", tokenResponse.AccessToken));

                    if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
                    {
                        claims.Add(new Claim("refresh_token", tokenResponse.RefreshToken));
                    }

                    n.AuthenticationTicket.Identity.AddClaims(claims);

                    return;
                },

                RedirectToIdentityProvider = n =>
                {
                    // If signing out, add the id_token_hint
                    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
                    {
                        var idTokenClaim = n.OwinContext.Authentication.User.FindFirst("id_token");

                        if (idTokenClaim != null)
                        {
                            n.ProtocolMessage.IdTokenHint = idTokenClaim.Value;
                        }

                    }

                    return Task.CompletedTask;
                }
            },
        });
    }
}

laura.rodriguez · April 27, 2018, 6:41pm

Hi,

Could you provide more details about your Okta application configuration?
Check you have checked Implicit (Hybrid) and Allow ID Token in your App config.
Also, what OWIN packages/version are you using in your project?

Just in case you can check this: Login is stuck in an endless redirect loop, using Asp.NET MVC

We have a new package coming soon to make this much easier, stay tuned

rakpan · April 9, 2019, 11:17pm

Could this be the classic case of needing to enable third party cookies for Okta to work?

sbennett · April 10, 2019, 7:02pm

So I ran into this very thing. Is your app running on HTTP? I can’t see your cookieAuth options above but if you set your cookieAuth to always use secure cookies and then run your site on HTTP, the Auth Cookie cannot be read, this results in an auth loop. To fix just set your site to HTTPS.