Login page on different domain

by 
public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationMode = AuthenticationMode.Active,
            LoginPath = new PathString("/account/login"),
            LogoutPath = new PathString("/account/logout"),
            Provider = new CookieAuthenticationProvider
            {
                OnApplyRedirect = ApplyRedirect
            },
        });
    }

    private static void ApplyRedirect(CookieApplyRedirectContext context)
    {
        Uri absoluteUri;
        if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri))
        {
            var path = PathString.FromUriComponent(absoluteUri);
            if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
            {
                context.RedirectUri = "http://accounts.domain.com/login" +
                    new QueryString(
                        context.Options.ReturnUrlParameter,
                        context.Request.Uri.AbsoluteUri);
            }
        }

        context.Response.Redirect(context.RedirectUri);
    }
}

If apps.domain.com is the only return URL base possible, you should strongly consider replacing context.Request.Uri.AbsoluteUri with context.Request.PathBase + context.Request.Path + context.Request.QueryString and build an absolute return URL in your authentication server to protect your apps from abusive redirects.

Hope this helps 😉

EDIT: you might ask yourself why I don’t directly apply the redirect using the context.RedirectUri property. In fact, ICookieAuthenticationProvider.ApplyRedirect is responsible of multiple redirects, corresponding to the log-in and log-out flows (yep, I know, it breaks the single responsibility principle…). But there’s even worse: context.RedirectUri can either represent the authentication endpoint’s absolute URL in the beginning of the log-in flow or the final browser’s destination (ie. the real relative “return URL”) when the cookie is effectively being sent back to the browser… that’s why we need to make sure that context.RedirectUri is absolute and corresponds to the registered context.Options.LoginPath.

More Related Contents:

  1. Do I need a Global.asax.cs file at all if I’m using an OWIN Startup.cs class and move all configuration there?
  2. How do I export to Excel?
  3. How to get current user, and how to use User class in MVC5?
  4. ASP.Net MVC route to catch all *.aspx requests
  5. How to add Web API to an existing ASP.NET MVC (5) Web Application project?
  6. Get UserID of logged-in user in Asp.Net MVC 5
  7. ASP.NET MVC 5 culture in route and url
  8. How to get DropDownList SelectedValue in Controller in MVC
  9. Unauthorised webapi call returning login page rather than 401
  10. Could not find a part of the path … bin\roslyn\csc.exe
  11. How to return PDF to browser in MVC?
  12. How to update a claim in ASP.NET Identity?
  13. 404 error after adding Web API to an existing MVC Web Application
  14. Proper JSON serialization in MVC 4
  15. An error occurred during report processing. -RLDC reporting in ASP.NET MVC
  16. How do I log a user out when they close their browser or tab in ASP.NET MVC?
  17. OWIN’s GetExternalLoginInfoAsync Always Returns null
  18. Why is Asp.Net Identity IdentityDbContext a Black-Box?
  19. Windows Authentication and add Authorization Roles through database – MVC asp.net
  20. How to get current page URL in MVC 3
  21. How can I secure passwords stored inside web.config?
  22. How to I apply filter while paginating in Asp.net MVC and entity Framework?
  23. Async PartialView causes “HttpServerUtility.Execute blocked…” exception
  24. How to return a PDF from a Web API application
  25. System.web.mvc missing
  26. How to route EVERYTHING other than Web API to /index.html
  27. Dealing with large file uploads on ASP.NET Core 1.0
  28. How to create Select List for Country and States/province in MVC
  29. Using a wwwroot folder (ASP.NET Core style) in ASP.NET 4.5 project
  30. LINQ to Entities does not recognize the method ‘System.String ToString()’ method in MVC 4

Leave a Comment