Formsauthentication and owin facebook authentication side by side (web forms)

Question

I need to add Facebook (and later google etc.) authentication to an existing asp.net webforms application using forms authentication.

Im almost there but there seems to be a conflict between formsauthentication and the owin authentication. My solution is based on the standard VS 2015 template.

The relevant code to redirect to the the external authentication provider (facebook) is as follows:

string redirectUrl =
                ResolveUrl(String.Format(CultureInfo.InvariantCulture,
                    "~/Account/RegisterExternalLogin?{0}={1}&returnUrl={2}", IdentityHelper.ProviderNameKey,
                    provider, ReturnUrl));
            var properties = new AuthenticationProperties { RedirectUri = redirectUrl };

            Context.GetOwinContext().Authentication.Challenge(properties, provider);
            Response.StatusCode = 401;
            Response.End();

This works if i turn off forms authentication. If I have forms authentication, the user gets redirected to the forms authentication url defined in the web.config:

    <authentication mode="Forms">
      <forms name=".ASPXAUTH_Test" loginUrl="~/start/login.aspx" timeout="60" >
        </forms>
    </authentication>

From my understandint the Http Status code (401) triggers the redirect to the Url in the web.config. I tried to set other status codes, but they don't work at all. When I turn off forms authentication in the web.config, the actual login process still works (surprisingly) but if I access a protected page while not having logged in a get an ugly IIS error page, instead of being redirected.

It seems, that I can't get work forms authentication and owin external authentication to work together properly :-(

So far all alternatives don't seem enticing to me: - switch to the identity framework (in our specific environment, this is absolutly NOT an option. I just mention it for the sake for completness) - try to use web.api or something similar (which probably has the same problem) - let go of owin external authentication and implement everything by hand

Has anyone been able to make this work? Any help is appreciated. Thanks in advance.

Answer 1

Halleluja, I found the solution:

From .Net 4.5 it is possible to prevent the forms redirect in the response: Response.SuppressFormsAuthenticationRedirect = true;

so the working code would look like:

            var owinContext = Context.GetOwinContext();
            owinContext.Authentication.Challenge(properties, provider);
            Response.SuppressFormsAuthenticationRedirect = true;
            Response.StatusCode = 401;
            Response.End();