/signin-oidc is not found

[FixRM]

Hello! Sorry for asking stupid things, but should I handle signin/signout myself if I'm using Microsoft.Owin.Security.OpenIdConnect?

The following code works like a charm with Microsoft.AspNetCore.Authentication.OpenIdConnect:

            services
                .AddAuthentication(cfg =>
                {
                    cfg.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    cfg.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                })
                .AddCookie()
                .AddOpenIdConnect(cfg =>
                {
                    cfg.Authority = "https://myoauthserver/";
                    cfg.ClientId = "hangfire";
                    cfg.ResponseType = "code";

                    cfg.Scope.Clear();
                    cfg.Scope.Add("openid");
                    cfg.Scope.Add("profile");
                });

but similar code don't with Microsoft.Owin.Security.OpenIdConnect:

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);           

            app.UseCookieAuthentication(new CookieAuthenticationOptions {  });

            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
            {   
                Authority = "https://myoauthserver/",
                ClientId = "hangfire",
                ResponseType = OpenIdConnectResponseType.Code,
                Scope = OpenIdConnectScope.OpenIdProfile
            });

At first, it doesn't pass redirect_url if it is not set explicitly. But if I set it to something like http://localhost:9001/signin-oidc myself, redirect works but signin-oidc endpoint seems to be not registered. Am I doing something wrong? The teaser was clientid & authority is all I need: https://devblogs.microsoft.com/dotnet/owin-security-components-in-asp-net-openid-connect/

[Tratcher]

Check the ResponseMode option, it defaults to FormPost, which is less common to combine with ResponseType Code.

https://github.com/aspnet/AspNetKatana/blob/3c194663090eeea35e5ee95cbe54959e0b90e3e3/src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs#L66

Is the request to /signin-oidc a GET or POST?

[FixRM]

Hello @Tratcher. Request to /signin-oidc is POST for ResponseMode = FormPost and GET for ResponseMode = Query. For both options I see 404 in browser console.

[FixRM]

The answer was found here: https://github.com/aspnet/AspNetKatana/issues/348. I need to add RedeemCode = true to make it works. @Tratcher can you please explain how it works and what is going on there? Am I using hybrid flow or Pkce or whatever?

[FixRM]

Second problem is the need to explicitly set RedirectUri parameter. Can we workaround this somehow @Tratcher? Site can be sitting behind DNS/reverse proxy/etc. and have several public names. Of course we need to add them all to STS but still, is that possible in Framework version?

[Tratcher]

RedeemCode

Code redemption was a feature added later so it was opt-in in case anyone was already doing the redemption themselves.

Second problem is the need to explicitly set RedirectUri parameter. Can we workaround this somehow @Tratcher Chris Ross FTE? Site can be sitting behind DNS/reverse proxy/etc. and have several public names. Of course we need to add them all to STS but still, is that possible in Framework version?

I think you'd need to use the RedirectToIdentityProvider Notification to update the ProtocolMessage.RedirectUri to match the current request host value.

[FixRM]

I tried, but it ends up with 404 for some reason. If host/signin-oidc is set up explicitly - it works, if it is set with RedirectToIdentityProvider Notification - then I got 404

[Tratcher]

Look at a Fiddler trace to see if the redirects are being generated as expected.

This should be the only relevant check to pass: https://github.com/aspnet/AspNetKatana/blob/3c194663090eeea35e5ee95cbe54959e0b90e3e3/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs#L226