This project has moved and is read-only. For the latest updates, please go here.

MVC application does not trigger my middleware for signout: AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie,

Dec 31, 2014 at 10:54 AM

I have set up next in my Middleware where DefaultAuthenticationTypes.ExternalCookie is used:
      if (string.IsNullOrWhiteSpace(Options.SignInAsAuthenticationType))
                Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
However, on next request:
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie, DefaultAuthenticationTypes.TwoFactorCookie);
My middleware is not invoked by
 protected override async Task ApplyResponseGrantAsync()
            AuthenticationResponseRevoke signout = Helper.LookupSignOut(Options.AuthenticationType, Options.AuthenticationMode);
            if (signout != null)
What am I doing wrong here?

Dec 31, 2014 at 2:10 PM
Sharing your Startup config would help.
Dec 31, 2014 at 4:49 PM
It is the default one. Microsoft and Facebook are working.
    public partial class Startup
        // For more information on configuring authentication, please visit
        public void ConfigureAuth(IAppBuilder app)
            // Configure the db context, user manager and signin manager to use a single instance per request

            // Enable the application to use a cookie to store information for the signed in user
            // and to use a cookie to temporarily store information about a user logging in with a third party login provider
            // Configure the sign in cookie
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.  
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                CookieSecure = CookieSecureOption.Always
                //Force SSL cookie usage

            // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
            app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

            // Enables the application to remember the second login verification factor such as phone or email.
            // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
            // This is similar to the RememberMe option when you log in.
Jan 1, 2015 at 5:26 PM
Hmm, that looks OK. The MVC app isn't calling Flush is it? There were some issues with ApplyResponseGrantAsync not being invoked soon enough if the response was Flush'd.
Jan 2, 2015 at 3:29 PM
My middleware ApplyResponseGrantAsync is called when I do next:
 var properties = new AuthenticationProperties { RedirectUri = RedirectUri };
                if (UserId != null)
                    properties.Dictionary[XsrfKey] = UserId;
                    properties.Dictionary[XsrfProviderKey] = ProviderKey;
                context.HttpContext.GetOwinContext().Authentication.SignOut(properties, LoginProvider);
I would however expect it on:
 AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie, DefaultAuthenticationTypes.TwoFactorCookie);
Jan 2, 2015 at 3:48 PM
Is your AuthenticationMode set to Active or Passive? The following are all different:
SignOut(properties, LoginProvider); - Invoke ApplyResponseGrantAsync ONLY for the LoginProvider authentication type, Active or Passive
SignOut(DefaultAuthenticationTypes.ExternalCookie, DefaultAuthenticationTypes.TwoFactorCookie); - Invoke ApplyResponseGrantAsync ONLY for the ExternalCookie and TwoFactorCookie authentication types, Active or Passive
SignOut(); - Invoke ApplyResponseGrantAsync for ALL Active middleware.
Jan 2, 2015 at 4:06 PM
I am using Passive.
Jan 2, 2015 at 4:40 PM
Then you have to do something like: SignOut(DefaultAuthenticationTypes.ExternalCookie, DefaultAuthenticationTypes.TwoFactorCookie, "MyAuthType");