I'm using WIF. I developed an STS that works well. The STS itself performs the login (basically using the pre-rolled code that comes with Microsoft MVC). So far we have two relying parties that can use the encrypted identity cookie just fine. Here's the thing: since all that code is in the STS, I want the STS to also do other functions like register new users, change passwords, etc. All that pre-rolled stuff. However, after a login, any request to a route in the STS (say, account/register or even account/login) fails with "Key not valid for use in specified state". I've spent quite a bit of time, and I have two working RPs to copy from in trying to configure this thing to decrypt the cookie. I'm concluding it's not configuration. I think maybe an STS will only respond to identity requests. Oddly, this all works on IIS express (on my laptop) but gives the above error on IIS. The first thought then, is certificate protection. However, when that is misconfigured you can't even log in, so I know the STS can access the certificate. Sorry it's all a bit vague but I'm hoping somebody has good ideas or domain knowledge. Thanks much-
2 Answers
a standard STS is only concerned with signin and signout. However, as many learn, there are many other flows that concern the "user" thing. There is change password, lost password, change email (in fact change any claim), refresh password, try to sign in, register, register with Facebook, .... There is no standard way of dealing with these.
We have solved this by extending the "actions" that can be sent to our STS. Instead of signin1.0 and signout 1.0 we allow a total set of 20 actions to be tapped in directly by our RPs.
Your STS should have its own cookies. It should never shared the cookie with one of the relying parties. That way you cannot normally have a problem of decrypting or encrypting keys.
- 1,619
- 15
- 23
-
Thanks, Willy! I have viewed the cookie as being on the session, not on a given app. How can the STS have its own cookies? I redirect to the STS and before any of its code gets control it throws the invalid key error. Not sure how to ask or tell it to use some other cookie than the WIF session one. Thanks- – rdgWarren Dec 24 '15 at 16:49
you can ensure wif uses seperate cookies for the sts and each rp by naming them differently in your setup for each site (i.e stsauth, rp1auth, rp2auth) You can set up the names explicitly on the ChunkedCookiedHandler object on each site at application start time.
var chunkedCookieHandler = new ChunkedCookieHandler {
RequireSsl = false,
Name = "stsauth",
Domain = domain,
PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)};
See here for the full code to do this:
