Search code examples
asp.net-mvc-4azureowinkatanaclaims

Owin and katana application after some attempts of login.claimsIdentity IsAuthenticated FALSE

We are using Microsoft Owin Authentication for our application, which will redirect the user to Azure Active Directory login page. Once logged in successfully, our application's home page will be displayed.

This will work without any issues for few times. However after few attempts, if I try to login again, after clicking on the LOGIN button (of Azure Active Directory login page), it is not getting redirected to our home page. It loads a blank page and it never finishes loading, and it gets hanged. The address bar shows the toggling of requests b/w our home page and azure login page.

Following is the code used for signin:

 public void SignIn()
 {
     if (!Request.IsAuthenticated)
     {
         HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/Home/Index" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
     }
 }

Update 1:

facing new issue:

Hello Vittorio,

Thanks!!! for your resonse. As you mentioned, after removing Authorize attribute, it is working fine locally (from sourcecode). However, once we deploy it to azure, after few attempts of login, we are facing a different issue, where-in, we are not at all allowed to login. User details are not getting loaded due to which authentication fails and redirects to a error page (custom page).

following is the piece of code which we are using to get the user details, however, many times we are getting into ELSE part (claimsIdentity.IsAuthenticated is returning FALSE).

var claimsIdentity = User.Identity as ClaimsIdentity;
if (claimsIdentity.IsAuthenticated) {
    accesstoken = claimsIdentity.FindAll("urn:accesstoken:access_token").FirstOrDefault().Value;
    domainname = claimsIdentity.FindAll("urn:appdomain:domain").FirstOrDefault().Value;
} else {
    return RedirectToAction("Error", "Home");
}

Please let us know if we are missing anything.

Solution

  • From your description it looks like you are experiencing a loop in which the flow is continuously going to Azure AD and back to your app. Is that correct? Usually this takes place when you are attempting to access one resource that requires authentication/authorization (e.g. via [Authorize] decoration) and you have some state that automatically authenticates you with a user that does not satisfy the access control requirements of the resource, causing another redirect and triggering a new cycle.

    Things to look for:

    • resources decorated with [Authorize()]. You might have a valid token for a user that does not satisfy the condition. Solution: implement a custom filter that returns 403 instead of 401 for authorization issues.
    • while you were signed in the app, you signed out from Azure AD and signed in with another Azure AD user form another directory. If you need to be able to do that, you should probably set your middleware to be passive (via AuthenticationMode = AuthenticationMode.Passive) so that 401s won't automatically trigger roundtrips to Azure AD. Note that this might work for the above as well

    Let us know if this solves! HTH V.