All geek questions in one place

Single sign-on using an ASP.NET identifier between two ASP.NET MVC projects

I have 2 web applications that share the same core level domain as below so that I can share cookies. Web.conifg in both projects has the same machine key and verification key. Since I want to use identifiers and NOT authenticaiton forms, I do not have a node file in any of my web.config files. I can successfully create an Auth cookie from SSO and view the browsing pages in SSO, but I'm still redirected to logging in to SSO when I try to access an authorized view in an MVC project.

  • sso.domain.com - MVC Project
  • mvc.domain.com - MVC Project

I have a startup.cs file in my SSO and MVC project as shown below:

public partial class Startup { public void Configuration(IAppBuilder app) { ConfigureAuth(app); } // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864 public void ConfigureAuth(IAppBuilder app) { app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); // Enable the application to use a cookie to store information for the signed in user app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, ExpireTimeSpan = TimeSpan.FromMinutes(3), LoginPath = new PathString("/Login"), CookieName = "MyCookieName", CookieDomain = ".domain.com" }); app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie); AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier; } }

Below is the code that I still have in the SSO project under AccountController.cs. I call the IdentitySignin function below when checking the user against the database that creates the cookie:

  private void IdentitySignin(string userId, string name, string providerKey = null, bool isPersistent = false) { var claims = new List<Claim>(); // create *required* claims claims.Add(new Claim(ClaimTypes.NameIdentifier, userId)); claims.Add(new Claim(ClaimTypes.Name, name)); var identity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie); //get the expiry minutes from config or use the default value of 30 minutes double expiryMinutes; expiryMinutes = double.TryParse(ConfigurationManager.AppSettings["AuthCookieExpiryMinutes"], out expiryMinutes) ? expiryMinutes : 30; // add to user here! AuthenticationManager.SignIn(new AuthenticationProperties() { AllowRefresh = true, IsPersistent = isPersistent, ExpiresUtc = DateTime.UtcNow.AddMinutes(expiryMinutes), IssuedUtc = DateTime.UtcNow }, identity); } private void IdentitySignout() { AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie, DefaultAuthenticationTypes.ExternalCookie); } private IAuthenticationManager AuthenticationManager { get { return HttpContext.GetOwinContext().Authentication; } } private async Task<string> GetVerifiedUserIdAsync() { var result = await AuthenticationManager.AuthenticateAsync( DefaultAuthenticationTypes.ApplicationCookie); if (result != null && result.Identity != null && !String.IsNullOrEmpty(result.Identity.GetUserId())) { return result.Identity.GetUserId(); } return null; }
+8
source share
3 answers

Most likely, you did not install a shared machine key. The auth cookie is encrypted, and if both sites do not use the same machine key, you cannot decrypt what is encrypted by the other. Add the following to your Web.config project:

 <sytem.web> ... <machineKey validation="HMACSHA256" validationKey="[validationKey]" decryptionKey="[decryptionKey]" compatibilityMode="Framework45" />

To generate keys, in IIS, click on the server in the left pane, and then on the machine key control panel item. Choose your verification method (above, I used HMACSHA256). I do not recommend using SHA1 by default, as it is ridiculously easy to crack. Then, in the right Actions pane, click Create Keys. Copy the two text field values ​​into the appropriate attributes of this configuration item and make sure that they are the same for all projects that must share the auth cookie.

+4
source

So, I found out the reason Single Sign On did not work between the two MVC applications, despite the fact that both of them use the same key and verification keys.

In my SSO MVC application and in another MVC application, different versions of the OWIN and ASP.NET Identity libraries were used. I used Nuget to update the DLLS in one project, but did not upgrade in another.

I hope this helps someone who is facing this issue.

Just like FYI, to exchange ASP.NET authentication authentication between more than one application, make sure you have something lower in EVERY APPLICATION :

  • Same Machine keys and validation keys in web.config
  • Same versions of OWIN and ASP.NET IDENTITY libraries
  • COOKIE AND COOKIE DOMAIN NAME in Startup.cs
  • Both applications must be in the same domain to share the auth cookie.
+4
source

I tried to contact you guys to check if you can help me answer the question in the link below.

Implement single sign-on using ASP.net Identity without forms authentication

I banged my head but no luck, please help me.

-one
source

Source: https://habr.com/ru/post/1014967/

More articles:


All Articles