OWIN challenge not triggered when using web.config authorization elements
Asked Answered
M

1

4

I'm migrating a Web Forms application from Forms Authentication to OpenID Connect (using OWIN and IdentityServer3). The application already has a lot of 'authorization' elements (for various locations) in the web.config which I would like to reuse after migrating to OWIN.

<authorization>
   <deny users="?" />
</authorization>
<location path="Path/Page.aspx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>
...

The problem is that after I switch to OWIN instead of being redirected to the login page and I get a 401 (unauthorized).

At the moment the only way to redirect the user to the login page is to manually make a challenge in the Page_Load event:

if (!Request.IsAuthenticated)
{
   HttpContext.Current.GetOwinContext().Authentication.Challenge();
}

This is how my Startup.Auth looks like:

public void ConfigureAuth(IAppBuilder app)
        {
            //reset the mapping dictionary to ensure the claims are not mapped to .NET standard claims
            JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = "ApplicationCookie",                    
                AuthenticationMode = AuthenticationMode.Active          
            });

            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                ClientId = "id",
                Authority = IdentityConstants.BaseAddress,
                RedirectUri = "uri",
                ResponseType = "code id_token token",                    
                SignInAsAuthenticationType = "ApplicationCookie",
                Scope = "openid profile email roles offline_access",
                ...
            }
...

Is there a way to leverage the existing authorization elements in web config so that I don't have to make these checks again in the code?

Melgar answered 18/5, 2016 at 9:15 Comment(0)
M
9

Add following code after app.UseOpenIdConnectAuthentication:

app.UseStageMarker(PipelineStage.Authenticate);

This will instruct Owin to run in the integrated pipeline.

Mismate answered 3/6, 2016 at 13:7 Comment(1)
yep, this saves my dayAchaean

© 2022 - 2024 — McMap. All rights reserved.