IdentityServer3 (Owin) Cookies

[TheAngryByrd]

So I attempting to get IdentityServer3 (2.5.3) Suave (2.0.0-alpha006) running on Mono (4.6.1). I used the implicit flow for it and I was able to get the the login screen. However when I attempted to login, I was sent back to the login page. After some digging I found out the for some reason the Set-Cookie headers weren't being set for the cookies that IdentityServer needs (idsvr.session, idsvr, idsvr.partial, etc). Only the first cookie was being set, SignInMessage. This also seems true for any Owin middleware that sets more than one cookie. I doubled checked on Windows .net 4.6 and the behavior was the same.

    type Cookies(next:OwinMiddleware)  =
        inherit OwinMiddleware(next)
        override this.Invoke (context:IOwinContext) : Task =
            async {
                context.Response.Cookies.Append("FirstCookie","FirstValue")
                do! next.Invoke(context) |> Async.AwaitTask
                context.Response.Cookies.Append("SecondCookie","SecondValue")
            } |> Async.StartAsTask :> Task
    let setRandomCookies =
        let app = new AppBuilder()
        let app = app.Use(typeof<Cookies>, [||]) 
        app.Build()
        |> OwinApp.ofAppFunc "/" 

TLDR; Suave needs to handle Set-Cookie differently when coming back from OWIN.

Owin.fs

      let handleResponse  (rhs : Dictionary<string, string[]>) = 
        let handleKey key =
            if key = "Set-Cookie" then 
                rhs.[key] |> Seq.map(fun v -> key,v) |> Seq.toList
            else
                [key, String.concat ", " rhs.[key]]

        (Seq.collect handleKey rhs.Keys |> Seq.toList)

      let setResponseHeaders (rhs : Dictionary<string, string[]>) =
        Lens.set respHeaders_ (handleResponse rhs)

I can send a pull request if you'd like.

[ademar]

Sure, a PR will be welcome :)