klings
commented
9 years ago Thanks for the positive feedback!
NWebsec.SessionSecurity is only concerned with session ids, and does not alter the identity in any way. In order to create session ids per user, it will read the IsAuthenticated and Name properties on the HttpContext.Current.User.Identity.
If you set enabled=false, the custom SessionIDManager will simply call the base class implementation so it's a bit weird that this should cause any issues.
Could there be some other code that could be causing the issue? Anything that checks for something on the session object?
I'm pretty sure it's not IdentityServer's fault, so we can look into it here instead of in IdentityServer/IdentityServer3#1765.
jlegan
Andre,
I spent some time with Troy Hunt's latest Pluralsight video the other day and came across your project for the first time. I had been implementing most of this functionality myself but your project was a huge win in terms of portability and thoroughness of implementation so thank you very much.
Now onto what I am seeing. I had everything implemented in NWebSec with the exception of SessionSecurity and everything was working as expected. While I know this is not a defect in your code it appears to be an interoperability issue between my IdP (Thinktecture's IdentityServer 3) and the massaging that SessionSecurity is performing on the identity. Without SessionSecurity in the web.config I get redirected to my IdP, authenticate and can login without incident. When I say without it in the web.config I mean entirely. Simply setting enabled="false" does not allow me to login.
I can walk the AuthorizationCodeReceived notification of the OpenId event and see that the AuthenticationTicket is written out correctly. I then receive a RedirectToIdentityProvider event as something is invalidating the User and I suspect it is in the massaging of SessionSecurity.
Are there any known defects or "gotchas" when using OIDC, how the authentication tickets are written, etc... that would allow me to move past this?
Thanks,
Jim