All geek questions in one place

Why doesn't context.Request.Context.Authentication.SignIn create a cookie?

We have an MVC 5 application to which we have added Web Api Controllers to provide REST API functionality. We successfully performed OAuth authentication through the OWIN pipeline using the OAuth provider custom class.

Now we want to implement authentication cookies to protect static resources on the server. I'm sure there are a million other ways to do this, but a request for a resource is a link directly to this resource, so I cannot use the OAuth token or any other mechanism, so we want to use cookies ... the browser sends them already , no need to change anything.

From all that I read, you can perform Toker Token authentication and Cookie authentication using OWIN Pipeline. Basically, the web API will use media tokens, because all the client will supply and requests for certain static resources on the server will use cookies, which are sent for all requests.

Our problem is that with the code below auth cookie is never generated. Across the pipeline, I never see the set-cookie header in the response, so I added Kentor Cookie Saver to the pipeline ... it should have helped.

WebApiConfig.cs

...
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
...

Startup.Auth.cs

...
app.UseOAuthBearerTokens(OAuthOptions);
// I was told this might help with my cookie problem...something to do with System.Web stripping Set-Cookie headers
app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
  AuthenticationType = Microsoft.Owin.Security.Cookies.CookieAuthenticationDefaults.AuthenticationType,
  AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
  ExpireTimeSpan = TimeSpan.FromHours(4)
});
...

Custom OAuth Provider

...
// Creates our claims and properties...keep in mind that token based authentication is working
CreatePropertiesAndClaims(acct, out properties, out claims);
if (IsAccountAuthorized(claims))
{
  AuthenticationProperties authProps = new AuthenticationProperties(properties);
  ClaimsIdentity claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
  claimsIdentity.AddClaims(claims);

  AuthenticationTicket ticket = new AuthenticationTicket(claimsIdentity, authProps);
  context.Validated(ticket);

  ClaimsIdentity cookieIdentity = new ClaimsIdentity(claims, Microsoft.Owin.Security.Cookies.CookieAuthenticationDefaults.AuthenticationType);
  context.Request.Context.Authentication.SignIn(cookieIdentity);    // This should create the auth cookie!??!
}
else
{
  context.SetError("Unauthorized", "You don't currently have authorization. Please contact support.");
}
...

Keep in mind that token-based authentication works, so I assume that the configuration parameter is missing or incorrectly configured, or there is a problem with piping ordering.

THANKS!

+4
1

, , . 4 , , . , , , - .

, , Set-Cookie:.AspNet.Cookies=LqP1uH-3UZE-ySj4aUAyGa8gt .... . , ajax .

$.ajax({
    url: url,
    type: 'POST',
    xhrFields: {
        withCredentials: true
    }
)

API- Fetch,

fetch(url, {  
  method: 'post',  
  headers: {  
    "Content-type": "application/x-www-form-urlencoded; charset=UTF-8"  
  }, 
  credentials: 'include'  
})
0

Source: https://habr.com/ru/post/1616114/

More articles:


All Articles