Search code examples
asp.netweb-configopenid-connectaspnet-contrib

allow anonymous access to .well-known directory

please bear with me: i am pretty new to all of this

i am working on integrating openid connect with a pair of applications developed by the company.

we are using custom/company specific openid connect libraries that are, i think, essentially wrappers around Microsoft.Owin.Security.OpenIdConnect and Owin.Security.OpenIdConnect.Server

in the idP application web.config, we have something like: 

<location path="." inheritInChildApplications="false">
    <authentication mode="Forms">
        <forms loginUrl="~/Login" name="{....}" protection="All" path="/" slidingExpiration="true" requireSSL="false" defaultUrl="~/Home" cookieless="UseCookies" />
    </authentication>
    <authorization>
        <deny users="?" />
        <!-- denies anonymous users to all pages, except those defined under location nodes -->
    </authorization>
</location>

plus a bunch of location nodes to allow/deny access to specific pages/resources

the problem is that when the openid connect stuff tries to access /.well-known/openid-configuration when the user is not logged in (or, it seems in the process of logging in), the response is a 302 redirect to the login page

obviously this is causing problems when a JSON response is expected

i have tried adding a location node to the web.config:

<location path= "~/.well-known/openid-configuration">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

(i also tried with path = "~/.well-known")

but i am still getting redirected to the login page

to be clear, there is no actual directory /.well-known in the idP application; the file seems to be constructed somewhere in Owin.Security.OpenIdConnect.Server.

Solution

  • the file seems to be constructed somewhere in Owin.Security.OpenIdConnect.Server

    Yes, it is.

    Try calling app.UseStageMarker(PipelineStage.Authenticate) immediately after registering the OIDC server middleware to prevent ASP.NET from applying the authorization policies before it has a chance to be invoked:

    app.UseOpenIdConnectServer(options => {
    options.AllowInsecureHttp = true;
});

app.UseStageMarker(PipelineStage.Authenticate);

    Note that you shouldn't need an exception for ~/.well-known/openid-configuration in your web.config when using app.UseStageMarker().