IdentityServer
Authenticating with Identity Server in the OWIN
I have an application that uses the Identity Server to authenticate users. This app is build on top of ASP.Net MVC and ASP.Net Web API. Everything works great here.
We started a new project and decided to use the same IdSrv to authenticate users but this time around we built our project using the new OWIN/Katana pipeline but hosted inside IIS (System.Web). The application is a SPA and has just one Index.html and all of the data is coming from the Web API middleware. I want to force users to be authenticated and if they are not and redirect them to the IdSrv. This is how my Startup.cs looks:
public void Configuration(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
});
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions()
{
MetadataAddress = "https://IdSrv/FederationMetadata/2007-06/FederationMetadata.xml",
Wtrealm = "http://localhost:55793"
});
app.Use(async (environment, next) =>
{
if (!environment.Authentication.User.Identity.IsAuthenticated)
{
//What do I do here??
}
await next();
});
app.UseFileServer(new FileServerOptions()
{
FileSystem = new PhysicalFileSystem("public")
});
ConfigureWebApi(app);
app.Run(context =>
{
context.Response.ContentType = "text/plain";
return context.Response.WriteAsync("Hello, world.");
});
}
I followed the following blog post to set up WSFederation here. I have added an Authorize attribute over my Web API resource and when I try to reach it i get the following error
IDX10803: Unable to create to obtain configuration from: 'https://IdSrv/FederationMetadata/2007-06/FederationMetadata.xml'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://IdSrv/FederationMetadata/2007-06/FederationMetadata.xml'.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://IdSrv/FederationMetadata/2007-06/FederationMetadata.xml'.]
Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() +1839
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +49
Microsoft.Owin.Security.WsFederation.<ApplyResponseChallengeAsync>d__c.MoveNext() +681
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Security.Infrastructure.<ApplyResponseCoreAsync>d__8.MoveNext() +531
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Security.Infrastructure.<TeardownAsync>d__5.MoveNext() +318
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +1371
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +291
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +1107
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +291
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<DoFinalWork>d__2.MoveNext() +293
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +208
System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +443
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288
Any ideas? Am I missing something?
So perhaps the call is failing because you simply don't have the SSL part done right.
It works just fine if I point to the IdSrv from a MVC app. Exception only when i use OWIN.
check if Katana logging shows more info: https://katanaproject.codeplex.com/wikipage?title=Debugging&referringTitle=Documentation
Not get any trace info. Maybe it is happening even before all that kick in?
You may have already resolved this issue, but for future readers, I had the same problem today and it turned out to be my company's proxy server settings, so the issue was that the federationmetadata.xml file was not even being read. Hope this helps.
Good point, @iampez -- see if you can even browse to the federation metadata in your browser.
I can. I have a regular MVC app that works just fine talking the same IdSrv. Just doesn't work if set up as OWIN/Katana pipeline. On Nov 8, 2014 8:28 AM, "Brock Allen" [email protected] wrote:
Good point, @iampez https://github.com/iampez -- see if you can even browse to the federation metadata in your browser.
— Reply to this email directly or view it on GitHub https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/810#issuecomment-62259238 .
@iampez I use token authentication and have same issue with company's proxy server. How did you resolve your issue? Is there a way to pass proxy server as an option? Is it possible to configure it for accepting proxy?
we are also having the same problem starting today. We have all SSL set correctly and the same setting is working for one site and not the other. Any suggestions?
@austinajit if something "all of a sudden" stopped working, then perhaps it's the signing certificate is past its expiration?
I know I'm a bit late here but if anyone is still experiencing this issue then you can resolve it by providing your own "proxy aware" implementation of the WsFederationAuthenticationOptions.BackchannelHttpHandler.
` public partial class Startup { private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"]; private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"]; private static string proxyAddress = ConfigurationManager.AppSettings["ida:ProxyAddress"]; private static string proxyPort = ConfigurationManager.AppSettings["ida:ProxyPort"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata,
BackchannelHttpHandler = GetProxyAwareHttpMessageHandler()
});
}
private HttpMessageHandler GetProxyAwareHttpMessageHandler()
{
if (string.IsNullOrWhiteSpace(proxyAddress) || string.IsNullOrWhiteSpace(proxyPort))
return null;
var address = string.Format("{0}:{1}", proxyAddress, proxyPort);
var proxy = new WebProxy(address, false)
{
UseDefaultCredentials = true
};
return new HttpClientHandler()
{
Proxy = proxy,
UseDefaultCredentials = true
};
}
}
`
