This project has moved. For the latest updates, please go here.

Triggers to call AuthorizationCodeReceived?

Nov 16, 2014 at 4:14 AM
I wrote code that uses code flow with some OIDC providers.
I could obtain authZ code from OP but, OWIN middleware could not detect the code.

I tried following.
A) connect AAD with default configuration, it works!!
  1. set client_id and authority
  2. sign-in to AAD
  3. AAD POSTs my application 'code', 'id_token', 'state', 'session_state'
  4. OWIN detect in this order.
    1. SecurityTokenReceived
    2. SecurityTokenValidated
    3. AuthorizationCodeReceived
B) connect AAD with response_type='code', it didn't work.
  1. set client_id and authority and response_type(code)
  2. sign-in to AAD
  3. AAD POSTs my application 'code', 'state', 'session_state'
  4. OWIN did not detect code receiving.
C) connect Google Account with response_mode='hash' and custom endpoint to receive/proxy callback from Google to OWIN
  1. set client_id and authority and response_mode(hash / in RedirectToIdentityProvider)
  2. sign-in to Google
  3. Google redirects to my application with 'code', 'id_token', 'state', 'session_state' in hash.
  4. my custom endpoint POSTs OWIN these parameters.
  5. OWIN did not detect id_token/code receiving.
D) connect Google Account with response_mode='hash' and custom endpoint to receive/proxy callback from Google to OWIN
  1. set client_id and authority and response_type(code) and response_mode(hash / in RedirectToIdentityProvider)
  2. sign-in to Google
  3. Google redirects to my application with 'code', 'state', 'session_state' in hash.
  4. my custom endpoint POSTs OWIN these parameters.
  5. OWIN did not detect id_token/code receiving.
Using HTTP tracing tool, it seems there are no difference in HTTP messages in A and C, but A works and C do not work.
Are there any other conditions to call 'AuthorizationCodeReceived'?

Regards,
Naohiro Fujie
Coordinator
Nov 16, 2014 at 4:21 AM
response_type='code' is not currently supported, only 'id_token' or 'code' & 'id_token'.

Google is also not currently supported because they send the response back as a query string instead of a form body.
Nov 16, 2014 at 4:53 AM
Hi Tratcher,

Thank you for replying.

Of course I know that response_type='code' is not supported so far. So in case A and C I used OWIN's default value 'code id_token' and get different result with AAD and Google.
Also I know that reponse_mode='form_post' is not supported by Google, and I used alternative to that I created custom view that receives code/id_token etc from hash/query and re-POST it to OWIN endpoint.
I believe that OWIN openid connect middleware is not only for AAD but any other OpenID Connect providers, and most of OpenID Connect Providers I know are so far not support for response_mode='form_post'. So I wish OWIN to support for other response_modes.

Regards,
Naohiro Fujie
Coordinator
Nov 16, 2014 at 5:13 AM
Yes, we're planning to support additional modes in the future.
Nov 16, 2014 at 7:05 AM
Thank you Tratcher, I'm looking forward additional modes support!

BTW, my first question is what triggers the notification of 'AuthorizationCodeReceived'?
It seems occurs after SecurityTokenReceived and SecurityTokenValidated, but by POSTing id_token to application uri no notifications was called, and I wonder there are some conditions except POSTing data such as referers and so on.

Regards,
Naohiro Fujie
Coordinator
Nov 17, 2014 at 5:04 PM
It is fired if the token is valid and if the message includes a Code field. See the last section of AuthenticateCoreAsync in:
http://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs
Nov 18, 2014 at 10:14 PM
Than you Tratcher.
I'll try to find differences of Goolge's and AAD's protocol messages.