OnValidateIdentity in OWIN Cookie authentication not called

Question

I am using the OWIN cookie authentication middleware and have setup a custom OnValidateIdentity-method that should be invoked on all requests that needs to be authenticated.

My setup looks like this:

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "my-cookie",
            Provider = new CookieAuthenticationProvider()
            {
                OnValidateIdentity = async ctx =>
                {
                    // my own validation code
                }
            }
        }

The issue I have is that for some requests, OnValidateIdentity is not called. If I hit the same protected Web API controller multiple times, some of the requests would not invoke the OnValidateIdentity-method.

This leads to issues later in the processing when I need to use GetOwinContext().Authentication.User and the ClaimsPrincipal is not populated.

What could be the reason for this?

score 1 · Answer 1 · answered Nov 30 '17 at 15:08

Found the issue. The cookie was expired.

This is because I also use the OpenIdConnect-middleware using the same cookie. Turns out that if you don't specify UseTokenLifetime = false in that config, it will use the expiry of the ID token as cookie expiry.

OnValidateIdentity in OWIN Cookie authentication not called

1 Answers1

Linked