The most frustrating part when writing the authentication live sample was a strange behavior where after authenticating with the external provider, a call to HttpContext.GetOwinContext().Authentication.GetExternalLoginInfoAsync() would return null instead of the user’s information.
This would happen the second time a user would go through the authentication redirection “dance” (when the external provider would immediately redirect back to the application), but then not the third time… really weird.
Fiddler revealed that the middleware that handles the redirection from Google (by default a url that ends in “/signin-google”) would set a cookie before redirecting to my route where GetExternalLoginInfoAsyc is called. Presumably this method gets the information from the cookie. Well, sometimes the middleware would not include a set-cookie header (!!).
A search revealed the blog post Catching the System.Web/Owin Cookie Monster, by Anders Abel that gives an explanation what is happening. He even has a work around middleware called Kentor.OwinCookieSaver. After installing this package in my application the authentication began working as expected.
It was troubling to see this strange behavior between System.Web and Owin and leaves the open question of what other subtle weirdness awaits hidden by these two interacting systems.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.