I know there are a lot of similar questions to mine, but I haven't been able to find any examples where the client application is configured like my setup.
What I am Trying to Do
I have configured an asp.net core 3.1 IdentityServer4 instance using Asp.Net Identity and EntityFramework core. I am trying to migrate a bunch of Web Forms applications from FormsAuthentication, and I have the configuration mostly correct - I can work around my sign in redirect problem and see that my claims are being returned as expected and my roles are working.
My Problem
However, I just can't figure out the correct RedirectUri, and that's probably at least partially due to my lack of understanding of how the signin-oidc endpoint works and if it can be configured.
In almost every example I have seen, the redirect Uri is always pointing to the root application (for localhost development, it's something like localhost:5001 or whatever port the application is listening on).
My IIS Hosting Setup
For both local development and production, my applications are set up in IIS as one root application with a series of other applications as subdirectories. For example:
- mydomain.com
- mydomain.com/Application1
- mydomain.com/Application2
Each of these is a stand-alone application.
Redirect Uris I Have Tried
The examples I have seen show the Redirect Uri as localhost:5001/signin-oidc. Here are the various Redirect Uris I have tried in my Startup.cs file and their results:
- localhost/Application1: "This page isn't redirecting properly" message from Firefox (url is something like http://localhost:80/Application1?code=xxxx&scope=xxxx&state=xxxx&session_state=xxxx)
- localhost/Application1/: Redirects to root (localhost). I can access the application if I manually navigate to it afterwards, and everything works as expected. However, this is an untenable solution because my users will be confused as hell.
- localhost/Application1/signin-oidc: 404 not found (url is something like: http://localhost:80/Application1/signin-oidc?code=xxxx&scope=xxxx&state=xxxx&session_state=xxxx)
- localhost/Application1/signin-oidc/: Same as localhost/Application1/: redirects to root
So it seems like this would all work fine if my application was at the root of the server, but since it's not, I have no idea how to make the redirect work correctly.
Reference
For reference here is the code in my application's startup.cs and the code that produces the challenge. For what it's worth, I do not understand why RedirectUri is being specified in the Authentication Challenge or what impact it has on the request, but it didn't seem to work unless I set it as is here, and in all of the examples I have seen. I played around with it, but it didn't yield any different results from when I left this as is and played around with the RedirectUri values in the Startup.cs file:
Startup.cs
public class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
private void ConfigureAuth(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
});
app.UseOpenIdConnectAuthentication(GetOpenIdConnectAuthenticationOptions());
}
private OpenIdConnectAuthenticationOptions GetOpenIdConnectAuthenticationOptions()
{
var _authority = "http://localhost:5000/";
var _redirectUri = "http://localhost/Application1/";
var _clientId = "app1";
var _clientSecret = "WouldntYouLikeToKnow";
return new OpenIdConnectAuthenticationOptions
{
Authority = _authority,
RedirectUri = _redirectUri,
ClientId = _clientId,
ClientSecret = _clientSecret,
Scope = $"{OpenIdConnectScope.OpenIdProfile} role",
TokenValidationParameters = new TokenValidationParameters()
{
NameClaimType = "preferred_username",
RoleClaimType = ClaimTypes.Role
},
SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
RequireHttpsMetadata = _authority.Contains("https"),
UseTokenLifetime = false,
RedeemCode = true,
SaveTokens = true,
ResponseType = OpenIdConnectResponseType.Code,
ResponseMode = OpenIdConnectResponseMode.Query,
Notifications = new OpenIdConnectAuthenticationNotifications
{
//section removed for brevity - this code handles pkce verification and challenge.
}
};
}
}
SiteMaster.cs
protected override void OnInit(EventArgs e)
{
if (!Request.IsAuthenticated)
{
HttpContext.Current.GetOwinContext().Authentication.Challenge(new Microsoft.Owin.Security.AuthenticationProperties()
{
RedirectUri = "/"
}, OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}