Geek Answers Handbook

Retry authenticated users in ASP.NET core

I'm having problems with the authentication pipeline in ASP.NET Core. My scenario is that I want to ask a problem to a user who has already authenticated using OpenID Connect and Azure AD. There are several scenarios in which you would like to do this, for example, when requesting additional areas in an AAD v2 endpoint script.

This works like a charm in ASP.NET MVC, but in ASP.NET Core MVC, the user is redirected to the access denied page configured in the cookie authentication middleware. (When the user is not logged in, issuing the request works as expected.)

After hours of searching the Internet and testing various parameters for my middleware options, I begin to suspect that I am either missing something obvious or this is a design behavior and I need to solve my requirement in a different way. Does anyone know about this?

EDIT: The relevant parts of my Startup.cs look like this:

public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.AddAuthentication( SharedOptions => SharedOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme); } public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { // <snip...> app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = CookieAuthenticationDefaults.AuthenticationScheme }); var options = new OpenIdConnectOptions { AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme, ClientId = ClientId, Authority = Authority, CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"], ResponseType = OpenIdConnectResponseType.CodeIdToken, PostLogoutRedirectUri = "https://localhost:44374/", TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = false } }; options.Scope.Add("email"); options.Scope.Add("offline_access"); app.UseOpenIdConnectAuthentication(options); }

And the action is as follows:

  public void RefreshSession() { HttpContext.Authentication.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties { RedirectUri = "/" }); }
+8
asp.net-core openid-connect azure-active-directory
source share
2 answers

I found a hint and solution here: https://github.com/aspnet/Security/issues/912 . ChallengeBehavior.Unauthorized is the key.

This post gives the current (November 2016 - ASPNet 1.0.1) workaround: https://joonasw.net/view/azure-ad-b2c-with-aspnet-core

You will need a new ActionResult to be able to call AuthauticationManager.ChallengeAsync with the calling behavior of ChallengeBehavior.Unauthorized.

Once the problem https://github.com/aspnet/Mvc/issues/5187 is successfully closed, it should be integrated.

I tested it and it worked perfectly (my goal was to simply expand the scope of Google for each user).

+2
source share
 Try to sign out: public void RefreshSession() { HttpContext.Authentication.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); HttpContext.Authentication.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme); HttpContext.Authentication.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties { RedirectUri = "/" }); }
0
source share

More articles:


All Articles