AuthorizationCodeReceived event won't get called, if RedirectUrl has no final slash!?

[mzagel]

Hi there,

I've created a sample MVC OWIN Client using an OpenId Server for authentication. The initial setup is quite simple:

public void Configuration(IAppBuilder app)
{
    JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = "Cookies"
    });

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        ClientId = "myClient",
        Authority = "http://localhost/myOpenIdServer",
        RedirectUri = "http://localhost/MvcOwinHybridClient",
        PostLogoutRedirectUri = "http://localhost/MvcOwinHybridClient",
        ResponseType = "code id_token token",
        Scope = "openid email profile",
        SignInAsAuthenticationType = "Cookies",

        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthorizationCodeReceived = async notif =>
            {
                //[...]
                // Code for retrieving user claims and setting the cookie.
                //[...]
            }
        }
    });
}

During our first implementation steps we've used IIS Express. Locally (with IIS Express) when we are logged in, the AuthorizationCodeReceived event gets fired as expected. Everything worked quite fine, until we tried to test the stuff on our servers with real IIS applications. The result was rather strange: Although the login is shown and the Open ID server seems to authenticate successfully. However after the redirect to the client, the user is not authenticated.

I was able to reproduce the exact same behaviour on my machine using the Local IIS. Actually the user is authenticated correctly on server side, but the event AuthorizationCodeReceived is not called. Besides no error occurs neither on the client nor on the server.

It took me quite some time to figure out the problem, because all we changed was

• use real IIS applications
• switch off SSL (we are behind a load balancer which takes care of SSL)
• adjust the URLs

It turned out, the problem was cased by the missing slash at the end of the RedirectUri:
RedirectUri = http://localhost/MvcOwinHybridClient/: working
RedirectUri = http://localhost/MvcOwinHybridClient: not working

Please note with IIS Express it doesn't matter at all if the slash is present or not, both scenarios work there!?

Although I can work now with this solution, I'm extremely curious and I hope someone can explain this behaviour (and maybe open a bug if necessary).

Thanks for your help,
Zacko

[Tratcher]

This is all with the old Katana packages. Have to tried it with the new ASP.NET 5 framework and packages?

In IIS is your application root at http://localhost/ or http://localhost/MvcOwinHybridClient/? If it's the second one IIS may be generating an extra redirect to add the trailing slash, and this extra redirect may be interfering with your login flow.

[mzagel]

ASP.NET 5 is a nice hint, will try that, but as long as it's still in beta phase, it's not an option for production...

Yes, the root is http://localhost/MvcOwinHybridClient/. Your explanation sounds quite reasonable:-)
So, do you think, it's a feature and not a bug?

[Tratcher]

Try it with Fiddler and see.

[Eilon]

There's no bug per se in the auth stuff, but we'll update the documentation to mention that a trailing slash is required when hosting on IIS.

[Tratcher]

We need to re-test this with the new HttpPlatformHandler.

[Tratcher]

This actually isn't a problem anymore due to changes for #455. Now that we require CallbackPath and it defaults to /signin-oidc, this scenario just works because redirecturi is now http://localhost/MyVirtualApp/signin-oidc.