I am using IdentityServer4 to implement Single-Sign-On from multiple ASP.net Core web sites. I am able to log in through one site, and that successfully logs me into the other site. What I find odd, however, is that after I am logged into both sites, any page that requires authentication / authorization is redirecting me back to the authorize endpoint if I have browsed the other site in the meantime. An example:
+-----+--------------------+-------------------------------------+---------------------------------------------------------------------+
| Seq | Host | Request | Response |
+-----+--------------------+-------------------------------------+---------------------------------------------------------------------+
| 1 | apple.example.com | GET /About | 302 Found; Location=https://login.example.com/connect/authorize?... |
| 2 | login.example.com | GET /connect/authorize?... | 302 Found; Location=https://login.example.com/Account/Login?… |
| 3 | login.example.com | GET Account/Login?… | 200 OK |
| 4 | login.example.com | POST /Account/Login?... | 302 Found; Location=/connect/authorize/callback?... |
| 5 | login.example.com | GET /connect/authorize/callback?... | 200 OK |
| 6 | apple.example.com | POST /signin-oidc | 302 Found; Location=https://apple.example.com/About |
| 7 | apple.example.com | GET /About | 200 OK |
| 8 | banana.example.com | GET /About | 302 Found; Location=https://login.example.com/connect/authorize?... |
| 9 | login.example.com | GET /connect/authorize?... | 200 OK |
| 10 | banana.example.com | POST /signin-oidc | 302 Found; Location=https://banana.example.com/About |
| 11 | banana.example.com | GET /About | 200 OK |
| 12 | banana.example.com | GET /About | 200 OK |
| 13 | banana.example.com | GET /About | 200 OK |
| 14 | apple.example.com | GET /About | 302 Found; Location=https://login.example.com/connect/authorize?... |
| 15 | login.example.com | GET /connect/authorize?... | 200 OK |
| 16 | apple.example.com | POST /signin-oidc | 302 Found; Location=https://apple.example.com/About |
| 17 | apple.example.com | GET /About | 200 OK |
| 18 | apple.example.com | GET /About | 200 OK |
+-----+--------------------+-------------------------------------+---------------------------------------------------------------------+
Up to Seq=11 everything works as expected. I am signed into both sites (apple and banana), but only entered my credentials once. I last loaded a page on banana.example.com. As long as I stay on that site (lines 12 & 13), the site cookie is working. But if I load another page on apple.example.com, it passes me back to the authorize endpoint, even though I am already authenticated on that site. That is surprising to me. This continues to happen--anytime I switch sites, I have to hit the identity server again. I do not have to re-enter my credentials, but the redirects are a bit jarring. I am especially concerned that it is going to interfere with POST requests.
Our sites are such that it will be common for users to be using multiple sites at the same time, tabbing back-and-forth.
Is this the way it is supposed to work, or is there something wrong with my configuration? I would expect to only have to hit the authorize endpoint once per site.
Your expectation is correct. Make sure you are using different cookie names for each application or else it would cause the exact behaviour you are describing.
You can set cookie name in the authentication service configuration:
services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; })
.AddCookie(options =>
{
options.Cookie.Name = "someCookieName";
})