I'm having problem with OWIN OpenId providers in an ASP.NET MVC5 application which uses ASP.NET Identity and is based on the VS2013 template with Individual user account authentication. OWIN OpenID providers for Google and LinkedIn are used for login authentication.
The problem is that what seems to be very randomly; GetExternalLoginInfo() returns null at the LoginConfirmation callback even though the login authentication was successful.
var authManager = HttpContext.Current.GetOwinContext().Authentication;
var login = authManager.GetExternalLoginInfo();
The providers in use are Google (Microsoft.Owin.Security.Google 2.1.0) and LinkedIn (from Owin.Security.Providers 1.3) and both providers causes the same problem.
Sometimes it fails once and then works again, but sometimes it just continues to fail until the AppPool is recycled.
Currently two instances of the application is hosted in IIS on the same Windows Azure virtual machine. Each instance has its own AppPool but identical setups (different subdomains). Sometimes the login stops working on one instance but still works on the other instance.
The problem has been reproduced locally as well (IIS Express - VS2013).
Anyone experienced similar problems with OWIN OpenID authentication?
Startup.Auth.cs looks like this:
public void ConfigureAuth(IAppBuilder app)
{
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseGoogleAuthentication();
app.UseLinkedInAuthentication("clientId", "clientSecret");
}
The following OWIN nuget packages are in use:
<package id="Microsoft.AspNet.Identity.Core" version="1.0.0" targetFramework="net45" />
<package id="Microsoft.AspNet.Identity.Owin" version="1.0.0" targetFramework="net45" />
<package id="Microsoft.Owin" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Host.SystemWeb" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.ActiveDirectory" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.Cookies" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.Facebook" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.Google" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.Jwt" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.MicrosoftAccount" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.OAuth" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Owin.Security.Twitter" version="2.1.0" targetFramework="net45" />
<package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" />
<package id="Owin" version="1.0" targetFramework="net45" />
<package id="Owin.Security.Providers" version="1.3" targetFramework="net45" />
<package id="System.IdentityModel.Tokens.Jwt" version="3.0.2" targetFramework="net45" />
The problem occurs when ASP.NET_SessionId cookie is missing.
Setting a dummy value in session before redirecting to the OpenID provider for credentials seems to solve the problem:
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
Session["dummy"] = "dummy"; // Create ASP.NET_SessionId cookie
return View();
}
More details in this answer: https://stackoverflow.com/a/21234614/205023