I have an .NET Famework 4.7.1 ASP.Net/MVC application that I am switching from SAML to a new OpenIDConnect Identity Provider. The original code used libraries from the SAML provider and was used Framework 4.5. I upgraded to 4.7.1 and added OWIN.
Everything seemed to working well until I put the app into production. At that point only the first person to sign in could get in. Anyone else that started a new session would simply get caught in a redirect loop between the site and the IP until the Nonce cookies filled up the request and they got a "Request Too Long" error.
I have other apps that I have setup using this IP and ASP.Net Framework and I'm not having a problem. This app is Framework 4.5 but was designed from the beginning to use OWIN and Kentor.AuthServices for SAML and the conversion to OpenIDConnect was very smooth.
The support from my IP and I followed the conversation between my app and the IP and the token is being sent back correctly. I added the Notifications to the Authentication and put in breakpoints. The app is getting the token and validating it.
I tried going back to Framework 4.5 and making all the libraries the same version as the other app that is working. That didn't work.
I finally tracked it down to the use of Session[] variables. I was also able to recreate the issue with a new .NET ASP.NET application.
- Create a new "ASP.NET Web Application" Framework 4.7.1 with no Authentication. (You can start with their authentication but it doesn't help)
- Install NuGet Package "Microsoft.Owin.Host.SystemWeb" (v4.0.0.0)
- Install NuGet Package "Microsoft.Owin.Security.OpenIdConnect" (v4.0.0.0)
- Install NuGet Package "Microsoft.Owin.Security.Cookies" (v4.0.0.0)
Create Startup.cs
using Microsoft.Owin; using Owin; using System; using Microsoft.Owin.Security.Cookies; using System.Configuration; using System.Collections.Specialized; using Microsoft.Owin.Security.OpenIdConnect; using Microsoft.IdentityModel.Protocols.OpenIdConnect; using Microsoft.Owin.Security; [assembly: OwinStartupAttribute(typeof(WebApplication.Startup))] namespace WebApplication { public partial class Startup { public void Configuration(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions{}); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { ClientId = "{clientid}", Authority = "{IP authority}", ResponseType = OpenIdConnectResponseType.CodeIdTokenToken, Scope = OpenIdConnectScope.OpenIdProfile + " " + OpenIdConnectScope.Email, }); } }}
Modify HomeController.cs
public class HomeController : Controller { public ActionResult Index() { return View(); }
public ActionResult About() { ViewBag.Message = "Your application description page."; // Added this line **************** Session["Value"] = "Test Value"; return View(); } // Added this line **** [Authorize] public ActionResult Contact() { ViewBag.Message = "Your contact page."; return View(); }}
To exhibit the problem follow these steps
- Run the web app and go to the Contact page. You will either already be Authenticated or you will need to sign in.
- Open another browser or a private/incognito page so you get a new session and open the site. Go to the Contact page. You will need to sign in again.
You can see the authentication works for both sessions.
- Close the second browser/private/incognito window.
- Return to the first browser and go to the About page. This is the page with the Session[] assignment
- Open a new browser/private/incognito window. Return to the Contact page on the site. You will be asked to the authenticate again.
After you authenticate, the browser will begin a redirect loop between the site and your IP authentication.
It doesn't matter if the [Authorize] attribute is on the controller or the action. It doesn't matter if there is a client secret assigned in the OpenIdConnect options. I added a Session[] variable to the other app that is working and it started having the same issue.
Other than removing all Session[] variables, is there something I can do to stop this behavior?
I know this is a long post. Thanks for reading to the end and thank you for any help.
