Deferring OwinStartup call


OWINStartup is invoked as a property of the assembly on startup. This seems to me to be a terrible architecture because

(a) you don’t know if this app will be doing okta authentication or some other means of authentication, so why invoke okta code before it’s needed
(b) The app could serve many different okta accounts, so you don’t want to set one lot of okta credentials at startup when they could change with different requests

However I’m new to all this stuff so perhaps its not that terrible if there’s a good reason for it which I can’t see :slight_smile:

So what I want to do is instead of having this code:

<Assembly: OwinStartup(GetType(OKTAStartup.Startup))>

…I’d prefer to call OwinStartup later. I tried this and it didn’t do any of the flows, just went straight to my unauthenticated page. So

  1. is there a standard or best method by which Startup can be called later when its needed rather than at the time the app is starting ?


  1. If no, how can we have different okta domain, different clientid etc served from the same app ?

My existing (working) code is below for reference


<Assembly: OwinStartup(GetType(OKTAStartup.Startup))>
Namespace OKTAStartup
    Public Class Startup
        Public Sub Configuration(ByVal app As IAppBuilder)
            app.UseCookieAuthentication(New CookieAuthenticationOptions())
            app.UseOktaMvc(New OktaMvcOptions() With {
                .OktaDomain = "",
                .ClientId = "xxx",
                .ClientSecret = "yyy-zzz",
                .AuthorizationServerId = "default",
                .RedirectUri = "https://localhost:44302/secure/sso.aspx",  
                .PostLogoutRedirectUri = "https://localhost:44301/a.aspx",
                .GetClaimsFromUserInfoEndpoint = True,
                .Scope = New List(Of String) From {
        End Sub
    End Class
End Namespace

Friend Class OKTALocal

    Private req As HttpRequest
    Private res As HttpResponse
    Private con As HttpContext

    Public Sub Authenticate()
        If Not req.IsAuthenticated Then
            '   Compilation errors on the following line mean you need to install Microsoft.Owin.Host.SystemWeb from nuget (then restart visual studio)

            con.GetOwinContext().Authentication.Challenge(New AuthenticationProperties With {
                .RedirectUri = "https://localhost:44302/secure/sso.aspx"
            }, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationDefaults.AuthenticationType)
            Dim i As IAuthenticationManager = con.GetOwinContext().Authentication
            Dim s As String = ""
            For Each c As System.Security.Claims.Claim In i.User.Claims
                s &= c.Type & " " & c.Value & vbCrLf
            Dim x As Integer = 1
        End If
    End Sub

    Public Sub New(Request As HttpRequest, Response As HttpResponse, Context As HttpContext)
        req = Request
        res = Response
        con = Context
    End Sub

End Class