Azure OpenID Connect via OWIN Middleware resulting in Infinite Redirect Loop

Question

I have setup OpenID Connect authentication in my ASP.NET MVC application using OWIN Middleware.

As this Fiddler output shows, once successfully logging in via Azure OpenID Connect, the browser continually loops back and forth between my site.azurewebsites.net and login.windows.net.

I have ensured following keys are correctly matching Azure AD information

<add key="ida:AADInstance" value="https://login.windows.net/{0}" />
<add key="ida:Tenant" value="******.onmicrosoft.com" />
<add key="ida:ClientId" value="*******" />
<add key="ida:PostLogoutRedirectUri" value="*********" />

And my Start.cs code is as follows

 private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
    private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
    private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
    private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];

    private string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);

    IAuthorizationService authorizationService = new AuthorizationService();

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {

            ExpireTimeSpan =TimeSpan.FromMinutes(15)
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri}
            });
    }
}

Not sure what is causing this to constantly redirect. I have placed an [Authorize] attribute on the MVC Controller where Post Authentication Redirect Url goes.

Answer 1

I ran into this issue last night in an ASP.NET Framework 4.5.1 MVC app. There were two issues for me.

1. Trying to access the site using HTTP instead of HTTPS

   • I have localhost, dev, and test (and prod of course) environments running under HTTPS so I didn't have to worry about handling HTTP locally. I have HSTS running everywhere and that solved this problem. See Best way in asp.net to force https for an entire site? for additional info.

2. Cookie overwriting as described here https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues

   • What worked for me was the Reconfigure the CookieAuthenticationMiddleware to write directly to System.Web's cookie collection fix combined with Katana 3.1.0 has several implementations of ICookieManager available. Older versions can use the following fix.

I was a "I tried everything but nothing works" dev until I found that fix. Hopefully that works for you too.

Answer 2

what is happening here is related to what JuneT noticed. This is related to the default on CookieAuthenticationOptions.CookieSecure == CookieSecureOption.SameAsRequest. Since you started at http, the final redirect is to http. The request that created the 'authcookie' was https from AAD.

I was able to get this working by setting CookieSecure == CookieSecureOption.Always. This means that cookie could leak along with your auth.

Is there must be a way to ensure that pages that auth only will accept connections on https.

Answer 3

To resolve this issue: you can upgrade your application to use ASP.NET Core. If you must continually stay on ASP.NET, perform the following: Update your application’s Microsoft.Owin.Host.SystemWeb package be at least version. Modify your code to use one of the new cookie manager classes, for example something like the following:

app.UseCookieAuthentication(new CookieAuthenticationOptions 
{ 
    AuthenticationType = "Cookies", 
    CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager() 
});

Reference Link