This project has moved and is read-only. For the latest updates, please go here.

Navigation issues with External Login Providers

Nov 26, 2014 at 8:46 AM

I ran into a problem with the AuthenticationMiddlaware and the Correlation Cookies, which is not related to #197, but involves the user navigating back in the External Login Process. My case looks like follows:
  1. User navigates to External Login and is redirected to the AuthrorizationServer, beforehand creating a State Value and a Correlation Cookie
  2. User authenticates with the Service and is redirected to the signin Uri
  3. The AuthenticationMiddleware verifies the State and the Correlation Cookie, deleting the Cookie afterwards and creating an AuthenticationTicket, which is passed to the CookieAuthenticationMiddleware
  4. A redirect to the Callback is made, from where on the User is authenticated
  5. User navigates back, sending him to the AuthorizationServer, where a new code is generated and a redirect to the signin is made as in Step2
  6. Now the AuthenticationMiddleware fails to verify the State and Correlation Cookie, because the later is missing
Any ideas on how to solve this issue?
Nov 26, 2014 at 1:42 PM
Navigating backwards through the login flow doesn't work on most websites...

I'd say this is by design, you're mimicking a replay attack. There's no way for the application to tell the difference.