AuthorizationCodeReceived event won't get called, if RedirectUrl has no final slash!?


Hi there,

I've created a sample MVC OWIN Client using an OpenId Server for authentication. The initial setup is quite simple:
public void Configuration(IAppBuilder app)
    JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

    app.UseCookieAuthentication(new CookieAuthenticationOptions
        AuthenticationType = "Cookies"

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        ClientId = "myClient",
        Authority = "http://localhost/myOpenIdServer",
        RedirectUri = "http://localhost/MvcOwinHybridClient",
        PostLogoutRedirectUri = "http://localhost/MvcOwinHybridClient",
        ResponseType = "code id_token token",
        Scope = "openid email profile",
        SignInAsAuthenticationType = "Cookies",

        Notifications = new OpenIdConnectAuthenticationNotifications
            AuthorizationCodeReceived = async notif =>
                // Code for retrieving user claims and setting the cookie.
During our first implementation steps we've used IIS Express. Locally (with IIS Express) when we are logged in, the AuthorizationCodeReceived event gets fired as expected. Everything worked quite fine, until we tried to test the stuff on our servers with real IIS applications. The result was rather strange: Although the login is shown and the Open ID server seems to authenticate successfully. However after the redirect to the client, the user is not authenticated.

I was able to reproduce the exact same behaviour on my machine using the Local IIS. Actually the user is authenticated correctly on server side, but the event AuthorizationCodeReceived is not called. Besides no error occurs neither on the client nor on the server.

It took me quite some time to figure out the problem, because all we changed was
  • use real IIS applications
  • switch off SSL (we are behind a load balancer which takes care of SSL)
  • adjust the URLs
It turned out, the problem was cased by the missing slash at the end of the RedirectUri:
RedirectUri = http://localhost/MvcOwinHybridClient/: working
RedirectUri = http://localhost/MvcOwinHybridClient: not working

Please note with IIS Express it doesn't matter at all if the slash is present or not, both scenarios work there!?

Although I can work now with this solution, I'm extremely curious and I hope someone can explain this behaviour (and maybe open a bug if necessary).

Thanks for your help,
Closed Mar 2 at 9:47 PM by mgirgin


Tratcher wrote Sep 10, 2015 at 2:49 PM

mzagel wrote Sep 11, 2015 at 12:59 PM

Thanks for the hint. So I will open an issue there...