0

I have 2 asp.net core webapis under 1 subdomain, and I'm going to add cookie authentication to one of them based on first api, but it doesn't working. It can't parse cookies from other one. I read some articles about this point, but is didn't help. One of them

  1. Sharing Cookies Between Two ASP.NET Core Applications
  2. https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-6.0

Info about APIs

  1. Using .NET 6, cookie authentication with ASP.NET Core Identity, authentication works fine

    builder.Services.AddIdentity<User.Repository.Entities.User, 
IdentityRole>(options =>
{
    options.Password.RequireDigit = false;
    options.SignIn.RequireConfirmedEmail = true;
})
.AddEntityFrameworkStores<UserDbContext>()
.AddDefaultTokenProviders();

builder.Services.ConfigureApplicationCookie(options =>
{
    options.Cookie.Name = "Custom.Identity";
    options.Cookie.Domain = "custom.com";
    options.Events.OnValidatePrincipal = context =>
    {
        context.Response.StatusCode = StatusCodes.Status401Unauthorized;
        return Task.CompletedTask;
    };
});
builder.Services.AddDataProtection()
                .PersistKeysToFileSystem(new DirectoryInfo("c:\\security-keys"))
                .SetApplicationName("SharedCookieApp");

builder.Services
    .AddAuthentication()

  2. Using asp.net core 3, used jwt token auth before, I want to add cookie auth there without ASP.NET Core Identity; Authentication always fails with cookies from first API

        services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo("c:\\security-keys"))
        .SetApplicationName("SharedCookieApp");

    services.AddAuthentication(options =>
    {

        options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    })
        .AddCookie(options =>
        {
            options.Cookie.Name = "Custom.Identity";
            options.Cookie.Domain = "custom.com";

            options.Events.OnValidatePrincipal = context =>
            {
                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
                return Task.CompletedTask;
            };
        });

P.S. Records from failed API logs.

    Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[7]
          Cookies was not authenticated. Failure message: Unprotect ticket failed

Anybody knows the possible reason of auth failing?

StanislavK
  • 1
  • 3
  • 2
    Why are you using cookies with a _Web API_? Cookies are only really used within user-facing web-browsers, whereas _Web API_ services are consumed mostly by client-libraries that tend to use signed-requests or bearer-tokens. – Dai Mar 24 '22 at 16:02
  • For simple implementing Single Sign On for 2 APIs. Cookies can be shared between 2 subdomains, but tokens can't – StanislavK Mar 24 '22 at 16:06
  • You are mistaken: The current state-of-the-art for Single Sign On using OIDC does not use shared-cookies: it uses [many different grants and flows depending on the client and use-case](https://developer.okta.com/docs/concepts/oauth-openid/#oauth-2-0). Also, cookies sharing `domain=` parameters are _not_ always shared between origins and this decades-old "feature" ([more of a security liability](https://security.stackexchange.com/q/33851/69237)) will likely be removed in upcoming browser-releases. Finally, "tokens can't be shared between 2 subdomains" is utter nonsense. – Dai Mar 24 '22 at 16:41

0 Answers0