ASP.NET with OpenIdAuthentication: redirect to url if not authorized

Asked 25/4, 2017 at 1:3 Answered 27/7, 2020 at 17:32

Solved asp.net asp.net-identity azure-active-directory openid-connect owin-middleware

I am attempting to write an ASP.NET application that uses a hybrid authentication scheme. A user can either have his username and password hash stored in the UserStore, or he can authenticate via Azure Active Directory.

I have created the login form pictured. It has the standard UserName and Password inputs, but also has a "Login via Active Directory" button.

This works well.

Now for the problem: The application's home page has the [Authorize] attribute.

public class DefaultController : Controller
{
    [Authorize]
    public ViewResult Index()
    { 
    // Implementation
    }
}

If the user is not logged in, I want it to redirect to the page Account/Login, allowing the user to choose the authentication method.

Once I added IAppBuilder.UseOpenIdConnectAuthentication to the pipeline setup, it no longer redirects to that page. Instead, it goes straight to the Microsoft Login page.

How do I configure it so that OpenID authentication is part of the system, but allow me to specify how to perform redirections when the user is not authenticated?

Here's the code where I set up the pipeline:

appBuilder.SetDefaultSignInAsAuthticationType(CookieAuthenticationDefaults.AuthenticationType_;
var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
     AuthenticationType = DefaultAuthenticationType.ApplicationCookie,
     LoginPath = new Microsoft.Owin.PathString("/Account/Login"),
     Provider = new Security.CookieAuthenticationProvider()
};
appBuilder.UseCookieAuthentication(cookieAuthenticationOptions);
// Now the OpenId authentication
var notificationHandlers = new OpenIdConnectAuthenticationNotificationHandlers 
{
   AuthorizationCodeReceived = async(context) => {
       var jwtSecurityToken = context.JwtSecurityToken;
       // I've written a static method to convert the claims
       // to a user
       var user = await GetOrCreateUser(context.OwinContext, jwtSecurityToken.Claims);
       var signInManager = context.OwinContext.Get<SignInManager>();
       await signInManager.SignInAsync(user, true, false);
   }
}
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
     ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
     Authority = "https://login.microsoftonline.com/xxxxx.onmicrosoft.com",
     PostLogoutRedirectUri = "https://localhost:52538/Account/Login",
     Notifications = notifcationHandlers
}
appBuilder.UseOpenIdConnectAuthentication(openIdOptions);

When you click "Active Directory Signin", it posts to "Account/SignInWithOpenId"

public ActionResult SignInWithOpenId()
{
    // Send an OpenID Connect sign-in request.
    if (!Request.IsAuthenticated)
    {
        var authenticationProperties = new AuthenticationProperties
        {
            RedirectUri = "/"
        };
        HttpContext.GetOwinContext().Authentication.Challenge
        (
            authenticationProperties,
            OpenIdConnectAuthenticationDefaults.AuthenticationType
        );
        return new EmptyResult();
    }
    else
    {
        return RedirectToAction("Index", "Default");
    }
}

Eminent answered 25/4, 2017 at 1:3 Comment(2)

Are there any endpoints defined in Azure that override your uri? – Commodore 25/4, 2017 at 2:41

How are you login user, GetorCreateUser. Can you please redirect to sample code. – Dibbell 17/7, 2018 at 5:56

The call to IAppBuilder.UseOpenIdConnectAuthentication(...) puts an Owin middleware component in the pipeline. When ASP.NET MVC returns an HttpResponse of 401 (Unauthorized), the Owin Middleware component detects this and changes it to an Http Redirect (code 302), and the redirection path is to the Open Id provider.

But there's a way to get around this: before the middleware component performs the redirect, it invokes the callback RedirectToIdentityProvider. From here, you can override this redirection.

Here is my code that overrides the redirection unless it is from the request path Account/SignInWithOpenId.

var notificationHandlers = new OpenIdConnectAuthenticationNotifications
{
    AuthorizationCodeReceived = async(context) => {
       // Sign in the user here
    },
    RedirectToIdentityProvider = (context) => {
        if(context.OwinContext.Request.Path.Value != "/Account/SignInWithOpenId")
        {
             context.OwinContext.Response.Redirect("/Account/Login");
             context.HandleResponse();
        }
        return Task.FromResult(0);
    }
}
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
     ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
     Authority = "https://login.microsoftonline.com/xxxxx.onmicrosoft.com",
     PostLogoutRedirectUri = "https://localhost:52538/Account/Login",
     Notifications = notifcationHandlers
}
appBuilder.UseOpenIdConnectAuthentication(openIdOptions);

Eminent answered 26/4, 2017 at 10:44 Comment(1)

Thank you! After hours of pain you've pointed me to context.HandleResponse() which was the missing piece for me - I was setting context.Response.Status = 401 but that was getting set back to 302 by the mysterious OIDC middleware (I assume). HandleResponse() shortcuts any "default logic". – Heartily 25/3, 2021 at 14:15

Please try to move the UseOpenIdConnectAuthentication before UseCookieAuthentication , then it will redirect user to "login" page .

// Now the OpenId authentication
var notificationHandlers = new OpenIdConnectAuthenticationNotificationHandlers 
{
  // Handler methods here
}
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
     ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
     Authority = "https://login.microsoftonline.com/xxxxx.onmicrosoft.com",
     PostLogoutRedirectUri = "https://localhost:52538/Account/Login",
     Notifications = notifcationHandlers
}
appBuilder.UseOpenIdConnectAuthentication(openIdOptions);

appBuilder.SetDefaultSignInAsAuthticationType(CookieAuthenticationDefaults.AuthenticationType_;
var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
     AuthenticationType = DefaultAuthenticationType.ApplicationCookie,
     LoginPath = new Microsoft.Owin.PathString("/Account/Login"),
     Provider = new Security.CookieAuthenticationProvider()
};
appBuilder.UseCookieAuthentication(cookieAuthenticationOptions);

Please let me know whether it helps.

Update :

Or you could using a custom Authorize Attribute to override the default behavior, for example :

    public class CustomAuthorizeAttribute: AuthorizeAttribute
    {
        public CustomAuthorizeAttribute(): base()
        {
        }

        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        {
            if (filterContext.HttpContext.Request.IsAuthenticated)
            {

            }
            else
            {
                filterContext.HttpContext.Response.Redirect("Account/login");
            }              
        }
    }

Then just change your usage to :

[CustomAuthorize]
public ActionResult Index()
{
    return View();
}

Pleasing answered 25/4, 2017 at 2:37 Comment(3)

It does redirect it to the login page, but it breaks something else. One of my notification handlers is for AuthorizationCodeReceived, which figures out the user from the claims and then calls SignInAsync. For some reason, if I don't call UseCookieAuthentication first, then SignInAsync has no effect. I'll modify my question to display the AuthorizationCodeReceived handler. – Eminent 25/4, 2017 at 5:27

Then how about using a custom Authorize Attribute :public class CustomAuthorizeAttribute: AuthorizeAttribute { public CustomAuthorizeAttribute(): base() { } protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.HttpContext.Request.IsAuthenticated) { } else { filterContext.HttpContext.Response.Redirect("Account/login"); } } } – Pleasing 25/4, 2017 at 6:35

A custom authorization attribute would work, but I'd rather not replace other parts of the ASP.NET MVC framework. I managed to come up with a solution to this. – Eminent 26/4, 2017 at 11:0

If you set the OIDC's Authentication Mode to Passive it should only respond to explicit Open ID Connect requests (e.g. posting to Account/SignInWithOpenId):

var openIdOptions = new OpenIdConnectAuthenticationOptions
{
     // ...
     AuthenticationMode = AuthenticationMode.Passive
}

Source: "Explicit use of Challenge and SignOut" section of The OWIN OpenID Connect Middleware

Vinavinaceous answered 27/7, 2020 at 17:32 Comment(0)

Recommended topics

Hot tags