Intermittent redirection loops during ADFS authentication
I am using Owin to configure my ASP.NET MVC 5 (.NET 4.5, IIS 7/8) application to authenticate against a third-party ADFS setup:
app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
});
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
Wtrealm = Settings.Auth.Wtrealm,
MetadataAddress = Settings.Auth.MetadataAddress
});
I also have a custom authentication filter (used in conjunction with AuthorizeAttribute):
public class OwinAuthenticationAttribute : ActionFilterAttribute, IAuthenticationFilter
{
public void OnAuthentication(AuthenticationContext filterContext)
{
var user = filterContext.RequestContext.HttpContext.User;
var authenticated = user.Identity.IsAuthenticated;
if (!authenticated)
{
return;
}
/* Redirect to profile setup if not already complete */
}
public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
{
}
}
This works fine half of the time but sometimes, on initial login, a redirect loop will occur between the app and the ADFS login. This seems to be session-specific (does not occur for all users at once) and once the redirect loop occurs it seems to continue occurring until an application pool refresh.
When the redirect loop occurs, I can still see (in Chrome's Network tab) what looks like a valid token being issued by ADFS.
I'm having a hard time isolating the root cause but what I have found is that - when the loop does not occur, user.Identity is of type ClaimsIdentity and IsAuthenticated is true. When it does occur, IsAuthenticated is false but user.Identity is of type WindowsIdentity.
All forms of authentication in IIS - except Anonymous - are disabled. IIS Express is not in use anywhere.
What could be causing this?
Answer
Do you use session data, and or TempData? I understand is it related to cookies. I too have the same issue.
Here is some more information and a thorough explanation of the cause. The problem can be worked around by forcing Owin to use System.Web's cookie pipeline (from here):
public class SystemWebCookieManager : ICookieManager
{
public string GetRequestCookie(IOwinContext context, string key)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
var webContext = context.Get<HttpContextBase>(typeof(HttpContextBase).FullName);
var cookie = webContext.Request.Cookies[key];
return cookie == null ? null : cookie.Value;
}
public void AppendResponseCookie(IOwinContext context, string key, string value, CookieOptions options)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
var webContext = context.Get<HttpContextBase>(typeof(HttpContextBase).FullName);
bool domainHasValue = !string.IsNullOrEmpty(options.Domain);
bool pathHasValue = !string.IsNullOrEmpty(options.Path);
bool expiresHasValue = options.Expires.HasValue;
var cookie = new HttpCookie(key, value);
if (domainHasValue)
{
cookie.Domain = options.Domain;
}
if (pathHasValue)
{
cookie.Path = options.Path;
}
if (expiresHasValue)
{
cookie.Expires = options.Expires.Value;
}
if (options.Secure)
{
cookie.Secure = true;
}
if (options.HttpOnly)
{
cookie.HttpOnly = true;
}
webContext.Response.AppendCookie(cookie);
}
public void DeleteCookie(IOwinContext context, string key, CookieOptions options)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
AppendResponseCookie(
context,
key,
string.Empty,
new CookieOptions
{
Path = options.Path,
Domain = options.Domain,
Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
});
}
}
And to wire it up:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ...
CookieManager = new SystemWebCookieManager()
})