Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Authenticate an ASP.NET MVC 5 app (targets .net 4.5) with an ASP.NET CORE 3 auth server that runs Identity Server 4

Ask Question

I'm currently building an auth server using Identity Server 4 with a spa (react) application that authenticates against it. I would now like to also take another application that is in current existence (this is ASP.NET MVC 5, targets .NET 4.5, currently uses ASP.NET Identity 2 management classes for managing users and signout/sign in using cookie authentication) and update it so that it can log in externally with this new auth server (so a user can log in using the existing authentication, but also use this auth server now - so that a user session could be shared between this existing app and this other spa app). The problem is as I understand it, that we need to use PKCE to authenticate with the auth server, but there doesn't appear to be a way to do this with the MVC 5 app - I can install the Microsoft.Owin.Security.OpenIdConnect package, but it doesn't allow for using PKCE since this is a newer thing (apparently if you target .net 4.6.1 there is a way to make that work with that version of the OpenIdConnect package). I can't change our target, it needs to stay .NET 4.5 (to upgrade to 4.6.1 or higher would cause all kinds of problems with the build and current packages, it would be a larger undertaking than my organization is willing to take on at this time). Is there a way that anyone knows of to make this work using an ASP.NET MVC 5 app that targets .NET 4.5 and an auth server that uses Identity Server 4? Would the only way be to use a GrantType.Implcit flow instead of requiring PKCE with a GrantType.Code, and would that even be advised now?

Thanks!

In this case you are dealing with 2 clients, spa app & ASP.NET MVC app, each client can have its own flow (grant type). We can use authorization code flow with PKCE , for the spa app. And Implicit flow for the ASP.NET MVC.

PKCE is suggested for interactive applications:

a front-channel step via the browser where all “interactive” things happen, e.g. login page, consent etc. This step results in an authorization code that represents the outcome of the front-channel operation.

a back-channel step where the authorization code from step 1 gets exchanged with the requested tokens. Confidential clients need to authenticate at this point.

The MVC app you described, is just doing authentication, then no worries it's fine to use implicit.

I have a post for implementing it here

This is great, looks like exactly what I needed. I did try setting it up exactly as you have it, and it authenticates fine, but then the page gets stuck in some kind of redirection loop - it's constantly just going to the auth server to verify the user at localhost:5000/connect/authorize ? right after verifying the user and sending them back. – user1368182 May 15, 2020 at 19:29 My MVC app for cookie authentication has always used cookie authentication ( app.UseCookieAuthentication) with AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, not AuthenticationType = "Cookies" as you have in your example, so I kept using that for both app.UseOpenIdConnectAuthentication and app.UseCookieAuthentication ...so I wonder if I need to change both to "Cookies" now - I'm also wondering if I need some kind of endpoint that handles the response and signs them in with the cookie authentication too in the local app once it knows it's authenticated with the auth server. – user1368182 May 15, 2020 at 19:48 1. About redirection loop , do you have authorization in mvc? The default behaviour is to re-directs all unauthorized users to IdentityServer, this can cause infinite loop. you can change it by overriding AuthorizeAttribute - HandleUnauthorizedRequest . here is explained @user1368182 – nahidf May 16, 2020 at 5:29 2. For AuthenticationType , its just a string and will affect on the cookie name on mvc app, if you use DefaultAuthenticationTypes.ApplicationCookie the cookie would be .AspNet.ApplicationCookie , but if you use Cookies the cookie name would be .AspNet.Cookies . BTW I suggest you to use Cookies as DefaultAuthenticationTypes is an enum on ` Microsoft.AspNet.Identity` which we dont use/need here @user1368182 – nahidf May 16, 2020 at 5:29 3. about custom endpoint, no there is no need for any endpoint, OWIN middleware handles it all - I suggest you to turn on the logs if its not yet to collect more details see here for nlog sample @user1368182 – nahidf May 16, 2020 at 5:30

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question . Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.
• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers .