Add/Remove authentication provider on the fly

Jan 6, 2014 at 10:04 PM
Hi I'm wondering if its possible to add/remove authentication provider on the fly with OWIN? Seems like everything needs to be defined in the Startup.Configuration method?
Jan 7, 2014 at 6:10 PM
Correct, the application is constructed at startup, you can't add or remove components later.

What are you trying to do? Most of the time when people ask for this they really just want to show or hide the buttons. You can do that in the code that gets the list of security modules and generates the buttons.
Jan 7, 2014 at 6:42 PM
What I'm trying to achieve

We have 1 ADFS 2.0 server as STS, it'll be configured with multiple claims provider.

In our application, we'd like to be able to specify which homerealm the user will be logging into through the whr parameter. However, judging from the code in ApplyResponseChallengeAsync of FederationAuthenticationHandler

message.HomeRealm = _federationConfiguration.WsFederationConfiguration.HomeRealm;

It looks like this cannot be done on the fly, that's why we're trying to find an alternative where maybe we create multiple providers on the fly, based on where we want to direct the user.
Jan 7, 2014 at 6:50 PM
The Federation module is only an early prototype and is in the process of being re-written. I do not recommend trying to use it yet.
Jan 7, 2014 at 6:59 PM
I understand its a prototype and we don't mind testing it our or modify it. However, we're unsure how such a thing can be achieved through the current architecture as ApplyResponseChallengeAsync doesn't seem to take any external parameters.
Jan 7, 2014 at 7:05 PM
Edited Jan 7, 2014 at 7:27 PM
We've added events to the middleware as designated extension points when scenarios have required.

When Federation stabilizes again we can look at what events might be needed there. Hopefully this happens in the next month or so.
Jan 7, 2014 at 7:19 PM
I see, is there any example of this events to the middleware extension points? The url you provided seems to give 404 error.

For reference, I guess my request is very similar to
Where I'd like to be able to customize the homerealm when doing a request.
Jan 7, 2014 at 7:26 PM
Oops, sorry, that's still in a private repo. Yes, #114 is the one I'm fixing at the moment with a new event.

The Federation module already defines a few events. Look at FederationAuthenticationProvider.OnSecurityTokenReceived.
Jan 7, 2014 at 7:40 PM
Ah I see, though I'm not sure how exactly an event that customize the SignInRequestMessage would be helpful in my specific scenario. Since the event is attached at application start, but I would like to provide automatic homerealm discovery/assignment based on each individual user.
I believe some additional external information regarding the current signed in user other than the Context needs to be passed in to make this event handler capable of doing such task?
Jan 7, 2014 at 7:56 PM
Edited Jan 7, 2014 at 7:57 PM
The event context can have any relevant data for that specific event. See the FacebookAuthenticatedContext, it has lots of stuff. You can also pass in additional data by storing it in the IOwinContext. Once inside the event you can lookup whatever you need from anywhere (e.g. hit a database, etc.).
Jan 7, 2014 at 8:04 PM
I see, so to pass the data into the event, one would call
            Context.GetOwinContext().Set("homerealm", "realmId");
            Context.GetOwinContext().Authentication.Challenge(properties, provider);
To pass the necessary realm information regarding that particular user?

And just to confirm, that OwinContext is per user and thread safe, so simply calling Set should suffice?
Jan 7, 2014 at 8:46 PM
Yeah, that should work.

OwinContext is per request and your request handling should be linear so you shouldn't have thread safety issues.
Jan 7, 2014 at 10:34 PM
Thanks for pointing me to the right direction, I'll add my own event to handle this for now and migrate to release build later.
May 14, 2015 at 5:36 PM
Sorry to bring up an old thread, but seems like this is still not possible with 3.0.1 WsFederation package? (ie: changing realm dynamically)

We are using ADFS 2.0 and wondering if this is the right package to use (IE: this seems like the old Federation package migrated?)
May 14, 2015 at 9:41 PM
Never mind! After digging through the code it seems that it is as simple as implementing RedirectToIdentityProvider and setting Whr!
            app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
                AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
                Wtrealm = "urn:myrealm",
                MetadataAddress = "https://{sts url}/federationmetadata/2007-06/federationmetadata.xml",
                Notifications = new WsFederationAuthenticationNotifications
                    RedirectToIdentityProvider = (notice) =>
                        // customizing the homerealm
                        notice.ProtocolMessage.Whr = "homerealm";
                        return Task.FromResult<object>(null);