Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

UseCookieAuthentication vs. UseExternalSignInCookie

Tags:

asp.net-mvc

owin

I use Owin to authorize through Google oAuth. Here is how my cookies are configured:

// Enable the application to use a cookie to store information for the signed in user app.UseCookieAuthentication(new CookieAuthenticationOptions {     AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,     LoginPath = new PathString("/Authentication/Login") }); // Use a cookie to temporarily store information about a user logging in with a third party login provider app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

So am using both UseCookieAuthentication and UseExternalSignInCookie and it seems redundant. Which of these two AuthenticationTypes should I specify for IAuthenticationManager methods (SignIn, SingOUt, etc.)? Or should I keep just one of them?

Update. What confuses me most is SignIn method:

private async Task SignInAsync(ApplicationUser user, bool isPersistent) {     AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);     var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);     AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity); }

So signsout from ExternalCookie, but signs in ApplicationCookie.

like image 925
SiberianGuy Avatar asked Oct 02 '14 18:10

SiberianGuy

People also ask

What is UseExternalSignInCookie?

UseExternalSignInCookie(IAppBuilder) Configures the application to use OWIN middleware based cookie authentication for external identities. UseExternalSignInCookie(IAppBuilder, String) Configures the application to use OWIN middleware based cookie authentication for external identities.

What is CookieAuthenticationDefaults AuthenticationScheme?

AuthenticationScheme passed to AddAuthentication sets the default authentication scheme for the app. AuthenticationScheme is useful when there are multiple instances of cookie authentication and the app needs to authorize with a specific scheme. Setting the AuthenticationScheme to CookieAuthenticationDefaults.

How to implement cookie authentication in ASP.NET Core?

Let's implement the Cookie Authentication in ASP.NET Core step by step. Open the Visual Studio and click on Create a new Project. Select ASP.NET Core Empty project and click on next. Give a name to your Project, select the location for the project creation, and click on Next.

Does ASP.NET Core identity use cookies?

You do not need a separate CookieAuthentication middleware when you are using ASPNET identity. UseIdentity() will do that for you and generate a cookie. You can set the "cookie options" in the AddIdentity block of the application like so: services.

2 Answers

You need all of them, if you want Google sign in to work. This is how it works. In the OWIN pipeline, you have three middleware components: (1) the cookie authentication middleware running in active mode, (2) another instance of cookie authentication middleware but running in passive mode, and (3) Google authentication middleware. That will be like so.

app.UseCookieAuthentication(new CookieAuthenticationOptions {     AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,     ... }); // Active  app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); // Passive  app.UseGoogleAuthentication(...);

When there is a 401, your user gets redirected to Google. There, your user logs in and Google validates the credential. Google then redirects the user back to your app. At this point, Google authentication middleware gets the login info, applies a grant (read external cookie) and short circuits the OWIN pipeline and redirects to the external callback URL, which corresponds to ExternalLoginCallback action method of AccountController. So, at this point when the request comes to your app as a result of redirect, you get the external cookie with the user name and email claims.

In order to read this cookie and retrieve the data (user name, etc) from Google, you use the cookie authentication middleware running in passive mode. Since this middleware runs in passive mode, it must be told to read the cookie. That's what happens when call to AuthenticationManager.GetExternalLoginInfoAsync() is made in the ExternalLoginCallback action method. At that point, identity from the external cookie has been established and this identity contains only the name and email claims from Google.

Typically, at this point you will need to retrieve user specific information from your application data store and add more claims to the identity. So, you call Signout on the external cookie middleware, which will also ensure the external cookie gets no longer sent back by expiring it. So, using the identity information available at that time, UserManager.FindAsync is called in the ExternalLoginCallback action method, which should return the user with all application specific claims. Using that new identity, you call SignIn on the cookie authentication middleware running in active mode. This ensures a new cookie is created. Compared to the external cookie, this new cookie contains all the application specific claims. Subsequently, you get this cookie back and the cookie authentication middleware running in active mode actively reads the cookie and establishes identity with complete list of all application specific claims.

So, if you do not call Signin, you will not be creating that cookie containing all application specific claims. But then it is up to you to use some other mechanism. The out of box behavior is that a local cookie containing all the application specific claims is created through that call to SignIn and subsequently read by the cookie middleware running in active mode.

UPDATE: I have created a blog post to explain how you can get away without using two cookie middleware instances. http://lbadri.wordpress.com/2014/10/14/barebones-asp-net-mvc-google-signin-through-owin-middleware/

like image 194
Badri Avatar answered Sep 20 '22 19:09

Badri

"SignOut(DefaultAuthenticationTypes.ExternalCookie)" is to "cleanup, the external cookie" as per Hao Kung's answer https://stackoverflow.com/a/20575643/2710179

There is a nice implementation in the Microsoft.aspnet.identity.samples project which you can download from nuget. In this implementation they use:-

    var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);

"ExternalCookie" is the "Default value used for the ExternalSignInAuthenticationType configured" I believe this means it is used as temporary cookie use to verify the user against an external sight

like image 21
Jonathan Jansen Avatar answered Sep 21 '22 19:09

Jonathan Jansen
Sign in to Comment

Related questions

ASP.NET MVC URL Routing with Multiple Route Values
MVC4 enum and radio button list
Is it possible to set a unique constraint using Entity Framework Code First?
Asp.Net MVC 2 - Bind a model's property to a different named value
How do I get the current Url from within a FilterAttribute?
How do I setup multiple auth schemes in ASP.NET Core 2.0?
What is the use of @Html.AntiForgeryToken()?
ASP.NET MVC DropDownListFor with model of type List<string>
Adding sub-directory to "View/Shared" folder in ASP.Net MVC and calling the view
One DbContext per request in ASP.NET MVC (without IOC container)
Build:Cannot find type definition file for 'node'
ASP.NET MVC - Slow initial load
MVC4 bundling CSS failed Unexpected token, found '@import'
How does a multiple select list work with model binding in ASP.NET MVC?
MVC 3 Model Binding a Sub Type (Abstract Class or Interface)
C# .Net How to Encode URL space with %20 instead of + [duplicate]
CORS in ASP .NET MVC5
Converting a ASP.NET MVC 3 Project to MVC 4
How to implement Permission Based Access Control with Asp.Net Core
Does HTML5 ban th cells from tbody?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!