ASP.NET with OpenIdAuthentication: redirect to url if not authorized

asp.net asp.net-identity azure-active-directory openid-connect owin-middleware
Andrew Shepherd picture Andrew Shepherd · Apr 25, 2017 · Viewed 7.2k times · Source

I am attempting to write an ASP.NET application that uses a hybrid authentication scheme. A user can either have his username and password hash stored in the UserStore, or he can authenticate via Azure Active Directory.

I have created the login form pictured. It has the standard UserName and Password inputs, but also has a "Login via Active Directory" button.

enter image description here

This works well.

Now for the problem: The application's home page has the [Authorize] attribute. 

public class DefaultController : Controller
{
    [Authorize]
    public ViewResult Index()
    { 
    // Implementation
    }
}

If the user is not logged in, I want it to redirect to the page Account/Login, allowing the user to choose the authentication method.

Once I added IAppBuilder.UseOpenIdConnectAuthentication to the pipeline setup, it no longer redirects to that page. Instead, it goes straight to the Microsoft Login page.

How do I configure it so that OpenID authentication is part of the system, but allow me to specify how to perform redirections when the user is not authenticated?

Here's the code where I set up the pipeline:

appBuilder.SetDefaultSignInAsAuthticationType(CookieAuthenticationDefaults.AuthenticationType_;
var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
     AuthenticationType = DefaultAuthenticationType.ApplicationCookie,
     LoginPath = new Microsoft.Owin.PathString("/Account/Login"),
     Provider = new Security.CookieAuthenticationProvider()
};
appBuilder.UseCookieAuthentication(cookieAuthenticationOptions);
// Now the OpenId authentication
var notificationHandlers = new OpenIdConnectAuthenticationNotificationHandlers 
{
   AuthorizationCodeReceived = async(context) => {
       var jwtSecurityToken = context.JwtSecurityToken;
       // I've written a static method to convert the claims
       // to a user
       var user = await GetOrCreateUser(context.OwinContext, jwtSecurityToken.Claims);
       var signInManager = context.OwinContext.Get<SignInManager>();
       await signInManager.SignInAsync(user, true, false);
   }
}
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
     ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
     Authority = "https://login.microsoftonline.com/xxxxx.onmicrosoft.com",
     PostLogoutRedirectUri = "https://localhost:52538/Account/Login",
     Notifications = notifcationHandlers
}
appBuilder.UseOpenIdConnectAuthentication(openIdOptions);

When you click "Active Directory Signin", it posts to "Account/SignInWithOpenId"

public ActionResult SignInWithOpenId()
{
    // Send an OpenID Connect sign-in request.
    if (!Request.IsAuthenticated)
    {
        var authenticationProperties = new AuthenticationProperties
        {
            RedirectUri = "/"
        };
        HttpContext.GetOwinContext().Authentication.Challenge
        (
            authenticationProperties,
            OpenIdConnectAuthenticationDefaults.AuthenticationType
        );
        return new EmptyResult();
    }
    else
    {
        return RedirectToAction("Index", "Default");
    }
}

Answer

Andrew Shepherd picture Andrew Shepherd · Apr 26, 2017

The call to IAppBuilder.UseOpenIdConnectAuthentication(...) puts an Owin middleware component in the pipeline. When ASP.NET MVC returns an HttpResponse of 401 (Unauthorized), the Owin Middleware component detects this and changes it to an Http Redirect (code 302), and the redirection path is to the Open Id provider.

But there's a way to get around this: before the middleware component performs the redirect, it invokes the callback RedirectToIdentityProvider. From here, you can override this redirection.

Here is my code that overrides the redirection unless it is from the request path Account/SignInWithOpenId.

var notificationHandlers = new OpenIdConnectAuthenticationNotifications
{
    AuthorizationCodeReceived = async(context) => {
       // Sign in the user here
    },
    RedirectToIdentityProvider = (context) => {
        if(context.OwinContext.Request.Path.Value != "/Account/SignInWithOpenId")
        {
             context.OwinContext.Response.Redirect("/Account/Login");
             context.HandleResponse();
        }
        return Task.FromResult(0);
    }
}
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
     ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
     Authority = "https://login.microsoftonline.com/xxxxx.onmicrosoft.com",
     PostLogoutRedirectUri = "https://localhost:52538/Account/Login",
     Notifications = notifcationHandlers
}
appBuilder.UseOpenIdConnectAuthentication(openIdOptions);

Related questions

How to get the current logged in user Id in ASP.NET Core

I've done this before with MVC5 using User.Identity.GetUserId() but that doesn't seem to work here. The User.Identity doesnt have the GetUserId() method I am using Microsoft.AspNet.Identity

Read More
How to get current user, and how to use User class in MVC5?

How can I get the id of the currently logged in user in MVC 5? I tried the StackOverflow suggestions, but they seem to be not for MVC 5. Also, what is the MVC 5 best practice of assigning stuff to the users? (…

Read More
ASP.NET Identity - HttpContext has no extension method for GetOwinContext

I have downloaded, and successfully ran the ASP.NET Identity sample from here: https://github.com/rustd/AspnetIdentitySample I am now in the middle of implementing the ASP.NET Identity framework in my project and have ran into a problem, …

Read More