0

I have a legacy application that was written using web forms. In this project we started to convert some of the webforms to SPA, angular.js, and WebAPI. The SPA pages communicate directly with the WebAPI. The idea is that eventually, all of the webforms will be converted to the new technology.

For the SPA pages, I've implemented adal.js and for the webforms I'm using ADAL.net. Both are obviously using Azure Active Directory. However, they don't seem to be using the same bearer token, because Single Sign-on is not working. Moving from a webform page to a SPA page requires another login.

How do I get the Single Sign On to work correctly in the project?

My code is below:

public void ConfigureAuth( IAppBuilder app )
{
   JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>( );

    app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType );
        app.UseCookieAuthentication( new CookieAuthenticationOptions( ) );

app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",                      
            Authority = "https://login.microsoftonline.com/XXXXX.onmicrosoft.com",
            PostLogoutRedirectUri = "https://XXXX:4432/gbl/Home.aspx",
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = context =>
                {
                    context.HandleResponse( );
                    context.Response.Redirect( "/Error?message=" + context.Exception.Message );
                    return Task.FromResult( 0 );
                },
                SecurityTokenValidated = async n =>
                {
                    var uniqueName = n.AuthenticationTicket.Identity.FindFirst( "unique_name" ).Value;
                    var userName = getUserNameFromUniqueName( uniqueName );

                    var claims = getRoleClaims( n.AuthenticationTicket.Identity ).ToList2( );
                    claims.Add( new Claim( "unique_name", uniqueName ) );
                    claims.Add( new Claim( ClaimTypes.Name, userName ) );
                    claims.Add( new Claim( ClaimTypes.UserData, "" ) );

                    var profileClaims = new ClaimsTransformer( ).GetTake2ProfileClaims( userName );
                    claims.AddRange( profileClaims );

                    var newIdentity = new ClaimsIdentity( n.AuthenticationTicket.Identity.AuthenticationType, "given_name", "roles" );
                    newIdentity.AddClaims( claims );

                    n.AuthenticationTicket = new AuthenticationTicket( newIdentity, n.AuthenticationTicket.Properties );
                },
            }
        } );
}
Chris
  • 1,690
  • 2
  • 17
  • 24
  • Can you explain how you are using ADAL.net for web sign on? ADAL.net is not designed for that, it is meant to be used for invoking web API... – vibronet Aug 31 '15 at 23:11
  • Vibronet, my apologies. I mixed up OWIN and ADAL. I added the code above so you can see what I am doing. All webform pages are secured by not letting anonymous in, except Home.aspx. On Home.aspx.cs, in the prerender, I issue an Owin challenge if the user is not authenticated. I will have to get the webforms and Adal.js to work together. Is there a way to accomplish this? – Chris Sep 01 '15 at 22:03
  • No issues. I think we're ready to try answering now – vibronet Sep 01 '15 at 23:28

1 Answers1

2

ADAL JS and the OpenId Connect middleware aren't really designed to work together - the fact that your app is implemented in webforms or MVC doesn't really make a difference, the issue is that ADAL JS expects to interact with the backend calling Web API secured via OAuth2 bearer tokens, while OpenId Connect expects to secure full postbacks via cookies. For a backgrounder on the two different approaches, see http://www.cloudidentity.com/blog/2014/04/22/authentication-protocols-web-ux-and-web-api/. I think you'll have to decide whether you want to move to a SPA infrastructure, in which case you can use ADAL JS and the OAuth2 middleware but webforms will be a bit awkward (but still possible), or if you want to stick with a postback based design and use OpenId Connect.

vibronet
  • 7,364
  • 2
  • 19
  • 21