OWIN and Azure AD HTTPS to HTTP Redirect Loop -

-

i new owin :). trying have page open public area allow anonymous on http, , restricted section require authentication. i'd not force entire site https general users.

the issue have receive following loop:

  1. http://example.com/authenticatedpage -> 302 redirect ad login
  2. login ad page http 200. triggers open of azure ad link site.
  3. link site identifies owin redirect , 302 redirect http://example.com/authenticatedpage
  4. go 1.

i have tried 3 ways of intercepting redirect in owin nothing seems work.

if begin session browsing https://example.com/ click on link authenticatedpage, login works expect. i.e.

  1. load https://example.com/authenticatedpage -> 302 redirect ad
  2. login ad -> loads https://example.com/
  3. 302 redirect https://example.com/authenticatedpage

is there anyway fix without marking whole site requiring ssl?

the problem referrer set oidc middleware in application. happens this:

  1. enter application on http://foo.bar , redirect identity provider
  2. the idp/ad redirects https://foo.bar configured return uri
  3. cookie set oidc middleware secure flag https only
  4. middleware redirects referrer url http
  5. cookie not set on http, step 1.

there multiple solutions such enforcing ssl only, overloading authorize attribute , setting cookiesecure flag cookiesecureoption.never (don't this).

the option prefer fix referrer in middleware such:

app.useopenidconnectauthentication(new openidconnectauthenticationoptions {     authority = ...     clientid = ...     redirecturi = "https://foo.bar"     responsetype = "id_token",     scope = "openid profile",           signinasauthenticationtype = "cookies",      // deal returning tokens     notifications = new openidconnectauthenticationnotifications     {         authorizationcodereceived = async n =>         {             // enforce reference/redirect https             var builder = new uribuilder(n.authenticationticket.properties.redirecturi);             builder.scheme = "https";             builder.port = 443;             n.authenticationticket.properties.redirecturi = builder.tostring();         }     } });

what rewrite http on referrer url https. way if user enters app on http, he'll automatically redirected https version after using it.


Comments

Post a Comment

Popular posts from this blog

javascript - Karma not able to start PhantomJS on Windows - Error: spawn UNKNOWN -

-
i lost "unknown" error: karma.conf.js: frameworks: ['mocha', 'should'], plugins: ['karma-mocha', 'karma-should', 'karma-phantomjs-launcher'], ... browsers: ['phantomjs'], error: 23 07 2015 14:35:37.691:warn [karma]: no captured browser, open http://localhost:9876/ 23 07 2015 14:35:37.701:info [karma]: karma v0.13.3 server started @ http://localhost:9876/ 23 07 2015 14:35:37.707:info [launcher]: starting browser phantomjs 23 07 2015 14:35:37.738:error [karma]: { [error: spawn unknown] code: 'unknown', errno: 'unknown', syscall: 'spawn' } error: spawn unknown @ exports._errnoexception (util.js:749:11) @ childprocess.spawn (child_process.js:1093:11) @ exports.spawn (child_process.js:933:9) @ object._execcommand (c:\users\jinga4x\git\mdl-sample-project\node_modules\karma\lib\launchers\process.js:63:21) @ object._start (c:\users\jinga4x\git\md...
Read more

Nuget pack csproj using nuspec -

-
i want create nuget package contains specified in nuspec file, still version csproj. in order use token have pack like: nuget pack myproj.csproj but when adds dependencies , creates unwanted folder in nuget package. nuspec file is: <?xml version="1.0" encoding="utf-8"?> <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd"> <metadata> <id>test</id> <version>$version$</version> <title>test</title> <authors>test</authors> <owners>test</owners> <requirelicenseacceptance>false</requirelicenseacceptance> <description>test</description> <summary>test</summary> <releasenotes>test</releasenotes> <copyright>test</copyright> </metadata> <files> <file src="bin\debug\*.dll" target="lib\net45" /> <file s...
Read more

c# - Display ASPX Popup control in RowDeleteing Event (ASPX Gridview) -

-
i have aspxgridview includes new , delete button. delete button includs gv_rowdeleting event. want show aspxpopupcontrol (id="pupconfirm"). want user have confirm password delete item. tried: protected void gv_rowdeleting(object sender, devexpress.web.data.aspxdatadeletingeventargs e) { pupconfirm.showonpageload = true; } but nothing happened. please me. !!! you can create template column javascript prompt confirmation. <itemtemplate> <asp:linkbutton id="btndelete" runat="server" text="delete" commandname="delete" onclientclick="javascript:if(!confirm('are sure want delete record?')){return false;}"> </asp:linkbutton> </itemtemplate>
Read more