This project has moved. For the latest updates, please go here.

Owin WSFederation Not Triggering

Apr 20, 2016 at 10:04 AM
I have a problem where I can no longer authenticate on a site whilst testing new updates. I use the code
HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = redirectUri }, WsFederationAuthenticationDefaults.AuthenticationType);

to trigger the redirect and this has always worked in the past. Now instead of trying to redirect to the remote server it's redirecting to localhost/account/login and thus returning a 404 as this doesn't exist.

I've searched high and low and can't find any reference to account/login in the entire project.

I can confirm that break points in ConfigureAuth are hit and the code is shown below.

Has anyone seen this issue before and can point me in the right direction?
public void ConfigureAuth(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);


            app.UseCookieAuthentication(
                new CookieAuthenticationOptions
                {
                    AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
                });

            var issuerSigningCertificate = CertificateHelper.GetCertificate(ConfigurationManager.AppSettings["IssuerSigningCertificate"], ConfigurationManager.AppSettings["IssuerSigningCertificateSerialNumber"], ConfigurationManager.AppSettings["IssuerSigningCertificateThumbprint"]);

            app.UseWsFederationAuthentication(
                new WsFederationAuthenticationOptions
                {
                    Configuration = new Microsoft.IdentityModel.Protocols.WsFederationConfiguration()
                    {
                        TokenEndpoint = "https://myexternalSTS/auth/clientid/wsfed",
                    },
                    Wtrealm = "http://apprealm",
                    Wreply = "https://localhost:44303",
                    
                    TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
                    {
                        ValidAudience = "http://apprealm",
                        ValidIssuer = "external sts",
                        IssuerSigningKeys = new List<SecurityKey>
                        {
                            new X509SecurityKey(issuerSigningCertificate)
                        }                     
                      }                  
                });
        }
Coordinator
Apr 20, 2016 at 11:12 AM
Common mistake. You've set both middleware to the same auth type so your challenge is now triggering cookies by mistake. Remove the auth type from cookies, and change your default sign in to use cookies instead. Then you'll only trigger wsfed and it will in turn use cookies for storage.
Apr 20, 2016 at 2:31 PM
Edited Apr 20, 2016 at 2:42 PM
Thanks Tratcher. I still seem to be getting the same issue.
I've changed to
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
With my CookieAuthenticationOptions auth type removed and set to
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
and my WsFederationAuthenticationOptions auth type removed and set to
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
I even tried changing the cookieauthentication login path to "/test/somewhere" just to confirm Cookie Authentication was firing but it's still redirecting to /account/login.

I've also set a break point on the following return in WSFed middleware notifications but this never gets hit.
Notifications = new WsFederationAuthenticationNotifications
                    {
                        RedirectToIdentityProvider = context =>
                        {
                            return Task.FromResult(0);
                        },
Coordinator
Apr 20, 2016 at 2:44 PM
Those changes look right. It sounds like your changes aren't being deployed. When in down, throw an Exception to make sure.
Apr 20, 2016 at 3:18 PM
Yes I was thinking along those lines as well but I managed to throw an exception at both the line before and after app.UseWsFederationAuthentication

I've cleaned and double cleaned the solution. Some of the Owin packages had been updated but I've just reverted back to the old versions and am still getting the same redirect to /account/login. I've also noted that the return url parameter in the redirect address line is to /account/signin (The method where the challenge is started) and not the redirect uri that is passed into the challenge.
Apr 21, 2016 at 5:28 PM
Ok.... So it's taken 2 days but I've finally found the problem which I hope may help someone in the future.

tl;dr The NuGet package Microsoft.AspNet.Webpages.WebData appears to break owin and by break I mean reset everything to default values.

To recreate add a new MVC5 project with No Authentication.
Add the following NuGet packages:
Microsoft.Owin.Security.WsFederation
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Host.SystemWeb
Add Owin startup Class
using Microsoft.Owin;
using Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.WsFederation;
using Microsoft.Owin.Security.Cookies;


[assembly: OwinStartup(typeof(WebApplication2.Startup))]

namespace WebApplication2
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);


            app.UseCookieAuthentication(
                new CookieAuthenticationOptions
                {
                });

            app.UseWsFederationAuthentication(
                new WsFederationAuthenticationOptions
                {
                    Configuration = new Microsoft.IdentityModel.Protocols.WsFederationConfiguration()
                    {
                        TokenEndpoint = "http://test.localhost/auth/wsfed"
                    }
                });
        }
    }
}
Place an [Authorize] Attribute on one of the Home controllers methods and run the project. When navigating to the protected Method you should get redirected to
http://test.localhost/auth/wsfed?wctx=WsFedOwinState%3d9bcDxhkvHNOs347B_Qs2o_5kbHyGyssZ3Rqhe9Y693qx2vbibyWbHPDo8gA4pdM6KuMREb68xJWGHPgtZhT6y6QUv6FVuHsJJr3SPxOJVlif9W0wQo98Foegxz7gdsLXZnKeVoQkCqv0fYdOtOId1A&wa=wsignin1.0

Now install the following packages (I got an error if I didn't install Webhelpers although it shouldn't be required)
Microsoft.AspNet.Webhelpers
Microsoft.AspNet.WebPages.Data
Now browse to the same Authorized location and you should be redirected to
http://localhost:11980/Account/Login?ReturnUrl=%2fHome%2fContact ......

Installing and Uninstalling Microsoft.AspNet.WebPages.WebData should break and fix the redirect.
I haven't looked through the source to figure out the error but I presume it's introducing a second instance of Owin?