I need help configuring my asp.net application using cookie authentication. This is what my configuration looks like:
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
CookieSecure = CookieSecureOption.SameAsRequest,
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
app.UseOAuthBearerTokens(OAuthOptions);
}
My login api route is:
[Route("Login")]
[HttpPost]
[AllowAnonymous]
public IHttpActionResult Login(RegisterBindingModel model)
{
var user = UserManager.Find(model.Username, model.Password);
if (user != null)
{
Authentication.SignOut();
var identity = UserManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);
identity.AddClaim(new Claim(ClaimTypes.Role, "IsAdmin"));
Authentication.SignIn(new AuthenticationProperties() { IsPersistent = true }, identity);
return Ok("Success");
}
return Ok();
}
Calling login returns a cookie named .AspNet.ApplicationCookie but when I call the logout action:
[Route("Logout")]
[HttpPost]
public IHttpActionResult Logout()
{
Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
return Ok();
}
I get the following error: Authorization has been denied for this request
What am I doing wrong?
Note: I decorated the controller with the [Authorize] attribute
Looking at my Web API config settings only to realize that it was only configured to allow bearer tokens. I removed the call to SuppressDefaultHostAuthentication and everything works fine now.