This project is read-only.

Issue when adding external providers for logged in user

Apr 3, 2014 at 2:51 PM
I'm upgrading my old web forms app to use ASP.NET Identity 2.0 - so far it's not that bad as it might sound, I have most of flows already working fine. However, I cannot crack this one where logged in user can link his Google/FCBK/Twitter account. My upgraded code is based on Identity 2.0 sample app - where this functionality works fine.

Ultimately, the only difference I'm seeing is when I call
context.HttpContext.GetOwinContext().Authentication.Challenge(properties, LoginProvider);
When I compare request/response in Fiddler, for sample app I'm getting this response:
HTTP/1.1 302 Found
Cache-Control: private, s-maxage=0
Location:[edited out...]
Server: Microsoft-IIS/8.0
X-AspNetMvc-Version: 5.1
X-AspNet-Version: 4.0.30319
Set-Cookie: .AspNet.Correlation.Google=jWylFHgTb9odg-EJJjmtnBMtOCafVCIjEbWkoqEZjzE; path=/; HttpOnly
X-SourceFiles: =?UTF-8?B?RDpcZ2l0XF9JZGVudGl0eTJBcHBcSWRlbnRpdHkyQXBwXE1hbmFnZVxMaW5rTG9naW4=?=
X-Powered-By: ASP.NET
Date: Thu, 03 Apr 2014 13:38:23 GMT
Content-Length: 0
while for my old app, response is:
HTTP/1.1 302 Found
Cache-Control: private, s-maxage=0
Content-Type: text/html; charset=utf-8
Location: /Account/Login?ReturnUrl=%2fManageAccount%2fLinkLogin
Server: Microsoft-IIS/8.0
X-AspNetMvc-Version: 5.1
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?RDpcZ2l0XEJvaGVta2Fcd2ViXE1hbmFnZUFjY291bnRcTGlua0xvZ2lu?=
X-Powered-By: ASP.NET
Date: Thu, 03 Apr 2014 13:39:05 GMT
Content-Length: 170

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Account/Login?ReturnUrl=%2fManageAccount%2fLinkLogin">here</a>.</h2>
So, my app is not setting a cookie and obviously there is a difference in Location, where the browser is being redirected.

I strongly suspect something is rewriting response in my app (as being old web forms app) but cannot find a way around it.

Any suggestions will be highly appreciated.
Apr 3, 2014 at 7:13 PM
@sensei_cz: Have you set the OWIN configuration for cookiemiddleware in the Startup.Auth as in the samples package. The challenge should be intercepted by the corresponding security middleware (Google, Twitter etc) and redirected to the provider.
Apr 4, 2014 at 8:50 AM
Yes, my Startup.Auth.cs is pretty much the same as in the sample app, minor differences are that my IdenityUser class is called User instead of ApplicationUser.

I have this part:
app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
as well as this part:
It does work when I register with Google credentials, I can create local account this way (so I can go thru ChallengeResult class when registering and it works). It only does not work when I try to associate Google account to existing local account.

Again, since ChallengeResult class derive from HttpUnauthorizedResult, I suspect that somewhere in the pipeline, something decide this is HttpUnauthorized and redirects me to a local login page instead of redirecting to Google authentication endpoint.

Just for a sanity check, I've compared what values I'm passing in my app and sample app when calling
context.HttpContext.GetOwinContext().Authentication.Challenge(properties, LoginProvider);
and these values are exactly the same for both properties structure and LoginProvider.