Converting an OWIN token to an OWIN cookie...


  • Notification Spam Recipient

    I have an MVC application that is capable of authenticating using Bearer tokens (i.e., http request has a header of Authorization: Bearer blahblahblah).

    I want to be able to automagically send users that have been automagically authenticated (and have said bearer token) to the website and have them logged in (basically, replacing the username/password with the token).

    This actually works if I indeed send the token in the header. However, it doesn't seem to be possible to generate a URL with said header information (because duh).

    This is my attempt at transforming a GET parameter into a header and asking for authorization:

            [AllowAnonymous]
            public ActionResult LoginToken(string token)
            {
                Request.Headers.Add("Authorization", string.Format("Bearer {0}", token));
                AuthenticateResult a = AuthenticationManager.AuthenticateAsync("Bearer").Result;
                
                return View("Info");
            }
    

    This doesn't work, but I'm not sure why, other than my conjecture that by the time the program has entered that function, the authentication manager has been done authenticating.


  • Notification Spam Recipient

    Ugh. Should have searched gooder.

    But.... this doesn't actually sign them in, so... Yay!



  • @Tsaukpaetra said in Converting an OWIN token to an OWIN cookie...:

    But.... this doesn't actually sign them in, so... Yay!

    Doesn't it? The middleware code should run before MVC in the pipeline, so MVC should only see the header already filled and treat it as if it was always there.


  • Fake News

    @Tsaukpaetra Did you try that code?

    Are you sure the Owin pipeline is correctly setup to run that header-setting code before any MVC stuff?


  • Notification Spam Recipient

    @Maciejasjmj said in Converting an OWIN token to an OWIN cookie...:

    @Tsaukpaetra said in Converting an OWIN token to an OWIN cookie...:

    But.... this doesn't actually sign them in, so... Yay!

    Doesn't it? The middleware code should run before MVC in the pipeline, so MVC should only see the header already filled and treat it as if it was always there.

    @JBert said in Converting an OWIN token to an OWIN cookie...:

    @Tsaukpaetra Did you try that code?

    Are you sure the Owin pipeline is correctly setup to run that header-setting code before any MVC stuff?

    It does. For that request. In MVC, apparently it sends back cookies when logging in. But not when I use a token, because it's already signed in.

    So, I basically made a stub action:

            /// <summary>
            /// Convert an authorized request to a full session. Used for the access_token method.
            /// </summary>
            /// <returns></returns>
            public ActionResult LoginToken()
            {
                SignInManager.SignIn(UserManager.FindById(User.Identity.GetUserId()),true,true);
                return RedirectToAction("Index","Manage");
            }
    

    For some reason, this lets the response contain the right cookies, whereas a bunch of other attempts did not.

    Wack.