Open Closed

How unauthenticated request is being handled? #5489


0
smartlayer created

I have implemented ADFS login. When I open my website directly e.g. <a class="postlink" href="https://sub.dev.com">https://sub.dev.com</a>, it redirects to login page at /Account/Login. On this page, we are clicking on ADFS login button using jQuery which redirects user to ADFS login page. Upon successful login, user is redirected back to website. This works perfectly.

I have issue when user opens website using relative URL directly, e.g. <a class="postlink" href="https://sub.dev.com/Mpa/Documents">https://sub.dev.com/Mpa/Documents</a> User is automatically redirected to ADFS login page. When user login from ADFS, it goes into redirection loop between my website and ADFS.

Looks like authentication cookie is not getting saved in website and because of this after login from ADFS, it redirects back to Mpa/Documents page and it detects the request is unauthenticated and redirects user back to ADFS. ADFS already authenticated so it redirects back Mpa/Documents and so on. Hence it fails after couple of calls and ADFS gives me error.

How is /Mpa/Documents know it is unauthenticated request? Anybody know how this can be resolved?

Results from fiddler are below-


9 Answer(s)
  • 0
    alper created
    Support Team

    sometimes a firewall or tunnel connection can prevent sending the authentication cookie. especially if you use HTTPS and your tunnel forwarding is not HTTPS it might cause these kinds of problems.

  • 0
    smartlayer created

    <cite>alper: </cite> sometimes a firewall or tunnel connection can prevent sending the authentication cookie. especially if you use HTTPS and your tunnel forwarding is not HTTPS it might cause these kinds of problems.

    Is it not supposed to happen even when we visit the URL directly? I don't think it is a firewall issue. Can you please explain how the user gets redirected to login if he is not authenticated? I tried to add breakpoints in many action method- Account/Login, Home/Index, Mpa/Index, Account/ExternalLoginCallback, Startup.cs but none gets a hit.

  • 0
    smartlayer created

    I'm sure this can be regenerated. Can you please try? I'm usingASP.NET MVC + jQuery App Version is: 5.4.0.0

  • 0
    ismcagdas created
    Support Team

    @smartlayer

    • Does user have permission to that specific page ?
    • Is that page belongs to a Tenant or Host side ?
  • 0
    smartlayer created

    @ismcagdas

    • Does user have permission to that specific page ?

    Yes, user has access to that page.

    • Is that page belongs to a Tenant or Host side ?

    Multi tenancy is turned off in our application and only single tenant is using the application. So it belongs to a Tenant.

  • 0
    smartlayer created

    Were you guys able to regenerate this issue?

  • 0
    ismcagdas created
    Support Team

    @smartlayer we couldn't reproduce this problem. Does it work if you enable multi tenancy ?

  • 0
    smartlayer created

    @ismcagdas, unfortunately it does not work with multi tenancy as well.

    Could you please try the following-

    1. Enable ADFS in web app.
    2. Decrease the ExpireTimeSpan to 1 minute in order to test it-
    int ExpireFromMin = 1;
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        SlidingExpiration = false,
        ExpireTimeSpan = TimeSpan.FromMinutes(ExpireFromMin),
        Provider = new CookieAuthenticationProvider
        {
            OnResponseSignIn = signInContext =>
            {
                signInContext.Properties.IssuedUtc = DateTime.UtcNow;
                signInContext.Properties.ExpiresUtc = DateTime.UtcNow.Add(TimeSpan.FromMinutes(ExpireFromMin));
            },
        }
    });
    

    Now after one minute of inactivity, it will redirect you to AD FS for reauthentication. But instead, you'll go in to redirection loop.

    Please let me know. This issue is becoming a pressing one.

    Thanks.

  • 0
    ismcagdas created
    Support Team

    Hi @smartlayer

    Sorry for our late response. As far as I understand, you have configured ADFS login but you are not able to login into AspNet Zero application, is that right ?

    If so, could you send us the Logs.txt file of your application ? You can send it to info@aspnetzero.com.

    Thanks,