I have implemented a simple authorization server with C# using the following guide. This works fine for my other applications that I built.
The problem arises when I want to login to the Auth server itself to manage user settings like 'change password' or 'change email'. I want to show a front-end, but when I use the [Authorize] tag on the endpoint, my incoming User is always null, while it works fine on the other applications.
I tried setting the DefaultAuthenticationType to different values but to no avail.
How is it possible to log in to the Auth server with the same token it generates?
EDIT:
To make the flow more obvious:
I have a website, api and an authorization server.
When users want to login to the website, they redirect to the authorization server to authenticate and authorize. This is through the oauth2.0 authorization code grant flow. The access token is then used to retrieve information from the api that is protected with the [Authorize] tag. This works.
What I want now is that I can redirect to a specific 'change password' view on the authorization server itself, and this has to be protected with [Authorize] as well. This does not work, as the user will be null.
EDIT2: The Authorize tag automatically protects api/view endpoints in c# aspnet mvc/api.
Edit3: This is how I configure my Auth server.
public void ConfigureOAuth(IAppBuilder app, IUnityContainer container)
{
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationMode = AuthenticationMode.Passive,
LoginPath = new PathString("/Account/Login"),
LogoutPath = new PathString("/Account/Logout"),
Provider = new CookieAuthenticationProvider()
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationIdentityUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => manager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie))
}
});
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
OAuthBearerServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AuthorizeEndpointPath = new PathString("/authorize"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(10),
Provider = container.Resolve<SimpleAuthorizationServerProvider>(),
RefreshTokenProvider = container.Resolve<SimpleRefreshTokenProvider>(),
AuthorizationCodeProvider = container.Resolve<SimpleAuthorizationCodeProvider>()
};
// Token Generation
app.UseOAuthAuthorizationServer(OAuthBearerServerOptions);
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
var configuration = container.Resolve<IConfiguration>().Get<AuthServiceSettings>("Application");
// Configure Google
GoogleAuthOptions = new GoogleOAuth2AuthenticationOptions()
{
ClientId = configuration.GoogleSettings.ClientId,
ClientSecret = configuration.GoogleSettings.ClientSecret,
Provider = new GoogleAuthProvider()
};
GoogleAuthOptions.Scope.Add("email");
GoogleAuthOptions.Scope.Add("openid");
app.UseGoogleAuthentication(GoogleAuthOptions);
//Configure Facebook External Login
FacebookAuthOptions = new FacebookAuthenticationOptions()
{
AppId = configuration.FacebookSettings.AppId,
AppSecret = configuration.FacebookSettings.AppSecret,
Provider = new FacebookAuthProvider(),
BackchannelHttpHandler = new FacebookBackChannelHandler(),
UserInformationEndpoint = configuration.FacebookSettings.UserInformationEndpoint
};
FacebookAuthOptions.Scope.Add("email");
FacebookAuthOptions.Scope.Add("public_profile");
app.UseFacebookAuthentication(FacebookAuthOptions);
}
EDIT4: Debug information when checking variables:
>> HttpContext.User.Identity.IsAuthenticated
false
>> System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated
true
No idea why these identities are not the same... but based on this I could write my own authorize tag and use that, but I'm reluctant to use something from Thread because I don't know if this works on multiple threads.