Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OWIN Authentication with IIS Basic Authentication

Tags:

iis

asp.net-mvc

owin

I created a new ASP.NET MVC 5 application with default access control provided by Visual Studio 2013 and Owin Middleware.

I enabled basic authentication on IIS (disabling all the others authentications) to protect the site from people that don't have the user/password that I created on Windows. It result in a "redirect loop” in the browser.

Any ideas why? How can I protect a web site without change the code?

like image 525
Fabio Avatar asked Jul 23 '14 20:07

Fabio

People also ask

Does OWIN use IIS?

OWIN sits between IIS and your application so that you can switch out IIS without rewriting your application.

How do I enable Basic Authentication in IIS?

In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services. On the Select Role Services page of the Add Role Services Wizard, select Basic Authentication, and then click Next. On the Confirm Installation Selections page, click Install. On the Results page, click Close.

Is IIS Basic Authentication secure?

Basic authentication is simple and convenient, but it is not secure. It should only be used to prevent unintentional access from nonmalicious parties or used in combination with an encryption technology such as SSL.

1 Answers

By default in file Startup.Auth.cs, there will be something like this:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Main/Account/Login"),
                CookieName = "OwinAuthCookie",
            });

When you enable Basic Authentication in IIS, here is what happens:

  1. IIS Basic Authentication module sees that there is no Authentication header, so it returns a HTTP 401 Response.
  2. The response is not returned immediatly, but is processed by Owin.
  3. Owin sees the request got 401 (Unauthorized) Response, so it redirects to the configured LoginPath.
  4. Your browser processes the redirect, tries to open the new URL and we are back to point 1. And theres's the loop.

What you can do is comment out the LoginPath property in the above code. This should stop the redirect loop, but also can (but don't have to, depending on your implementation) break authentication for application users.

What I eventually ended up with was implementing a small Owin middleware and doing Basic Authentication myself.

These links could be helpful:

  • Writing an OWIN Authentication Middleware
  • Basic Authentication with ASP.NET Web API Using OWIN Middleware
  • Thinktecture.IdentityModel on GitHub
like image 152
qbik Avatar answered Oct 27 '22 02:10

qbik
Sign in to Comment

Related questions

ASP.NET MVC inline bundle
Assigning UserId to Foreign Key = null
CheckBoxList for Enum types MVC Razor
how to get the reference for checkbox element from both parent and child grids
Autofac, MVC (with ActionFilters), Web.Forms - dependency resolution conflict
CA2227 and ASP.NET Model Binding
How to save a PDF as read-only / flattened?
How to move MVC 5 IdentityModels.cs into a separate assembly
async all the way down issue
How can I define partial views with dynamic JQuery scripts if bundled scripts are rendered at the bottom of the page?
Data Annotations - using an attribute extension and storing regular expressions in a resource file
Validation with custom Data Annotations in conflict with localization change
Why does a LESS file have to be set as Build Action "Content" to deploy to Azure?
WebApi attribute routing defined on interface
How to get response data from RestSharp to download for user?
VS Application Insights for a Web App deployed to multiple environments
Elasticsearch and .NET
Redirect user when error occurs in async controller action
How could I make Fiddler capture HTTP requests made by my MVC app to my ASP.NET Web API?
MVC 6 with vNext: Do we still need the Global.asax?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!