I've created a sample MVC OWIN Client using an OpenId Server for authentication. The initial setup is quite simple:
public void Configuration(IAppBuilder app)
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
AuthenticationType = "Cookies"
ClientId = "myClient",
Authority = "http://localhost/myOpenIdServer",
RedirectUri = "http://localhost/MvcOwinHybridClient",
PostLogoutRedirectUri = "http://localhost/MvcOwinHybridClient",
ResponseType = "code id_token token",
Scope = "openid email profile",
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
AuthorizationCodeReceived = async notif =>
// Code for retrieving user claims and setting the cookie.
During our first implementation steps we've used IIS Express. Locally (with IIS Express) when we are logged in, the AuthorizationCodeReceived event gets fired as expected. Everything worked quite fine, until we tried to test the stuff on our servers with real
IIS applications. The result was rather strange: Although the login is shown and the Open ID server seems to authenticate successfully. However after the redirect to the client, the user is not authenticated.
I was able to reproduce the exact same behaviour on my machine using the Local IIS. Actually the user is authenticated correctly on server side, but the event AuthorizationCodeReceived is not called. Besides no error occurs neither on the client nor on the
It took me quite some time to figure out the problem, because all we changed was
- use real IIS applications
- switch off SSL (we are behind a load balancer which takes care of SSL)
- adjust the URLs
It turned out, the problem was cased by the missing slash at the end of the RedirectUri:
: not working
Please note with IIS Express it doesn't matter at all if the slash is present or not, both scenarios work there!?
Although I can work now with this solution, I'm extremely curious and I hope someone can explain this behaviour (and maybe open a bug if necessary).
Thanks for your help,