Authentication middleware does not listen to Authenticate event

Aug 28, 2014 at 3:15 PM
I have been testing the WsFederation middleware but I cannot get it to work correctly with the "<authorization>"-element in web.config. The host is IIS and I use the Microsoft.Owin.Host.SystemWeb to hook the pipeline.

I always get a 401 Access Denied when accessing a protected path (without being logged in) instead of the redirect to the federation server. It does work if I use the "Authorize" functionality in MVC but I can't use that in this scenario.

So I started looking at the source and the WsFederation middleware never calls UseStageMarker which in my limited Owin-knowledge would mean that it runs on the PreExecuteRequestHandler-event which never gets called when using URL authorization.

So to get it to work I had to add the state marker myself, like this (I removed some config code from the sample, just to show the flow of the method I am calling):
 app.SetDefaultSignInAsAuthenticationType(xxx);
 app.UseCookieAuthentication(new CookieAuthenticationOptions());
 app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions())
 //Had to add this hack:
 app.UseStageMarker(PipelineStage.Authenticate);
So I started looking at a few more middleware and it's only the CookieAuthentication and the OAuthBearerAuthentication that sets up the stage marker correctly.

So my question, am I doing something wrong here or is it a bug in the middleware?
Coordinator
Aug 28, 2014 at 4:00 PM
This is intentional. As you noticed the stage marker is not needed in many scenarios. It can also have negative impacts on other scenarios like session. As such we don't include it by default for most components.

If anything, we should be better about including the stage marker in our samples so you don't have to go hunting around for it. Which samples were you referencing?
Aug 29, 2014 at 7:18 AM
Ok. Is there a problem with session I should be aware of?

Just samples in general, such as your own https://katanaproject.codeplex.com/discussions/547633 and the release blog http://blogs.msdn.com/b/webdev/archive/2014/02/21/using-claims-in-your-web-app-is-easier-with-the-new-owin-security-components.aspx. Can't find any samples, FAQ, documentation etc that says you must add the stage marker to get WsFederation to work with ordinary ASP.NET features. But as I said, I am pretty new to Owin..
Coordinator
Aug 29, 2014 at 2:20 PM
Just keep in mind that session is hooked up in a later pipeline stage, so components that run before that won't be able to access it. Session also has a bad habit of stomping on the auth cookie, but that's unrelated to stage markers.

You're one of the only people I've seen try to integrate with that particular ASP.NET feature, so I'm not surprised by the lack of samples for it. Most of our users perform the authorization in MVC.