Microsoft.Owin.Security.Facebook failed to get email info.

UseFacebookAuthentication() supports option includling email scope: var opt = new Microsoft.Owin.Security.Facebook.FacebookAuthenticationOptions() { AppId = System.Confi...

Id #467 | Release: None | Updated: Mon at 5:22 PM by Tratcher | Created: Sun at 4:02 AM by darkthread

OAuthBearerAuthenticationHandler Validates Token Expiry After JwtSecurityTokenHandler

JwtSecuritTokenHandler has a ValidateToken(...) method which performs all of the core token validation - signature, issuer, replay detection, lifetime, audience. If validation fails you get an exce...

Id #466 | Release: None | Updated: Aug 7 at 9:14 PM by philco | Created: Aug 7 at 9:12 PM by philco

Katana TraceListener may cause doubled log messages in client code

The misbehavior (and some workarounds) has been discussed on Stackoverflow already: A TraceListener, that was regis...

Id #465 | Release: None | Updated: Jul 13 at 1:35 PM by ML8448 | Created: Jul 13 at 1:35 PM by ML8448

Account for breaking changes in TokenValidationParameters v5

(Moved from This was originally posted on Github at

Id #464 | Release: None | Updated: Aug 23 at 3:32 PM by MattOl | Created: Jul 6 at 7:25 PM by Tratcher

What is max expiry for two factor code in UseTwoFactorSignInCookie?

I'm trying to find out what is the max value for a two factor authentication code expiry in a cookie from ASP.NET Identity 2.1, and if I can set it higher than 5 minutes. I have tried setting the...

Id #463 | Release: None | Updated: Jul 18 at 12:03 PM by chriscollins442 | Created: Jul 6 at 3:21 PM by chriscollins442

URI component encoding issue in query path

Hello! There is a bug in how Katana handles encoding when building a Uri in OwinRequest. The resource path delimiters "(" and ")" are encoded which violates RFC 3986. Please see section 3.3. This...

Id #462 | Release: None | Updated: Jun 28 at 6:37 AM by jstachowiak | Created: Jun 26 at 10:59 PM by jstachowiak

Security stamp is not updated in the database by UserManager

Hi, I have written the following code to update the user's security stamp value to the database after signout. But It is not updated in the database and see the old value. Did I miss anything o...

Id #461 | Release: None | Updated: Jun 24 at 6:46 PM by Tratcher | Created: Jun 22 at 9:20 AM by dpmragu

SystemClock implementation is not monotonic

The current SystemClock implementation has an observable discrepancy where a later call to SystemClock.UtcNow produces an earlier timestamp. The current implementation: // the clock measures whole...

Id #460 | Release: None | Updated: Jun 9 at 9:54 PM by Tratcher | Created: Jun 8 at 10:35 AM by BachratyGergely

StaticFiles: max file size on range request

In the Microsoft.Owin.StaticFiles library, there is a bug that causes it to not respect range request headers for files larger than ~2GB. See RangeHelpers::TryParseLong method. It's supposed to b...

Id #459 | Release: None | Updated: Jun 2 at 6:39 PM by Tratcher | Created: Jun 2 at 2:55 PM by brazen

The state field is missing or invalid. ?

I've enabled Owin logging in 3.0.1 for our MVC website. However noticed this is turning up in the log for every user? WARN Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationMi...

Id #458 | Release: None | Updated: May 9 at 6:15 AM by micatiosoftware | Created: May 8 at 11:06 PM by micatiosoftware