OktaASP middleware not registering HttpContext Identity - Infinite Loop

Hi Guys,

Having a problem with the OktaASP library persisting the successful callback and UserInfo to the HttpContext Identity.

I created used the Sample App and got that working perfectly after recoding it into the same use case as my main application.

I thought the problem with my main app would be because I was using Forms Authentication for the main workflow, so I switched the Sample App to forms Authentication, suppressed the forms redirects like i’m doing in my main app and and mirrored as much of the Start Up, Routing and App config as possible from my main App.

But the Sample app still works perfectly as required

I can see in Fiddler on the Main App all the conversation between the Okta server matching exactly a successful use case on the sample app, with access tokens and user info with verified email being transmitted correctly and received the same as in the Sample app.

The only difference I can see between the sample App and the main application is that in the Main app the HttpContext.Identity is not getting set and authenticated. Where as in the sample app this is getting appropriately set.

Which causes an infinite loop to occur.

I’ve recreated various application connections in the Okta config and swapped Id’s and secrets numerous times to make sure I wasn’t dealing with the Typo or anything in the URLs.

Unfortunately the area where I think something is going wonky where the HttpContext is getting set in the Owin libraries triggered by the Okta middle ware I don’t have access to.

No errors are being thrown.

Was wondering whether anyone had experienced a similar scenario or have pointers on where to look.

Regards,

Chris

Just as an FYI Startup Config:

public void Configuration(IAppBuilder app)
{

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());


        app.UseOktaMvc(new OktaMvcOptions()
        {
            OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
            ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
            ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
            RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
            PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
            GetClaimsFromUserInfoEndpoint = true,
            Scope = new List<string> { "openid", "profile", "email" },
        });

    }

And Use:

[AllowAnonymous]
public ActionResult OktaLogin(string iss)
{

        if (!HttpContext.User.Identity.IsAuthenticated)
        {      
            HttpContext.GetOwinContext().Authentication.Challenge(
                OktaDefaults.MvcAuthenticationType);

            Response.SuppressFormsAuthenticationRedirect = true;

            return new HttpUnauthorizedResult();
        }
        else
        {
            if (!string.IsNullOrEmpty(HttpContext?.User?.Identity?.Name))
            {
                return LoginSuccess(HttpContext.User.Identity.Name, iss);
            }
            else
            {
                return LogOff();
            }
        }

   
    }

Config:

public void Configuration(IAppBuilder app)
{
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());


        app.UseOktaMvc(new OktaMvcOptions()
        {
            OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
            ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
            ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
            RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
            PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
            GetClaimsFromUserInfoEndpoint = true,
            Scope = new List<string> { "openid", "profile", "email" },
        });

    }

Usage:

[AllowAnonymous]
public ActionResult OktaLogin(string iss)
{

        if (!HttpContext.User.Identity.IsAuthenticated)
        {      
            HttpContext.GetOwinContext().Authentication.Challenge(
                OktaDefaults.MvcAuthenticationType);

            Response.SuppressFormsAuthenticationRedirect = true;

            return new HttpUnauthorizedResult();
        }
        else
        {
            if (!string.IsNullOrEmpty(HttpContext?.User?.Identity?.Name))
            {
                return LoginSuccess(HttpContext.User.Identity.Name, iss);
            }
            else
            {
                return LogOff();
            }
        }

        return RedirectToAction("Index", "Home");
    }

Anyone who gets this issue with the Cookie not getting set in Forms authentication, the resolution was to override the default AutheticationType in the CookieAuthenticationOptions in the StartUp:

app.UseCookieAuthentication(new CookieAuthenticationOptions() {AuthenticationType = “Cookies”, CookieManager = new SystemWebCookieManager() });