Single Sign On - Web Forms & MVC 5

theteam · October 25, 2017, 4:03pm

We are gradually upgrading a legacy Web Forms application to MVC 5 and we want to use Auth0 for authentication. So we are creating a simple proof of concept to check that single sign on works as expected between a web forms app and an MVC app.

But it is not working as expected and I was wondering if anybody else has experience with this and can help.

If you login to the Web Forms app (http://authzerowebformstest.azurewebsites.net/) and then go to the MVC app (http://authzeromvctest.azurewebsites.net/) and refresh the page it does not recognise that you are authenticated. You have to click the ‘Login’ menu item (top right) which calls the Auth0 login code and then recognises that you are logged in and does not ask for credentials.

I would have expected the app to recognise that the user is authenticated without having to call the Auth0 code.

Logout has the same issue in that you have to click logout on both applications.

The Web Forms project is using this code sample - Auth0 Regular Web App Quickstarts

The MVC project is using this code sample - Auth0 ASP.NET (OWIN) SDK Quickstarts: Login

I assume there is some code that I need to add to both applications to call the Auth0 API and check whether the user is logged in and then redirect them if not, but I can’t find that in the documentation.

Can anybody point me in the right direction?

Mark_Redman · October 25, 2017, 4:11pm

With pre .net core apps, SSO can be achieved using the same machine keys and matching cookie domains etc, I think something similar is possible with .net core and pre .net core apps, where you can use Auth0 using the cookie scheme and get things matched in a similar way

I just found this: https://www.hanselman.com/blog/SharingAuthorizationCookiesBetweenASPNET4xAndASPNETCore10.aspx

hope it helps.

UPDATE:

usually the configs have the same machine key and cookie domain set in the startup something like this:

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                CookieDomain = Settings.SiteCookieDomain,
                Provider = new CookieAuthenticationProvider
                {
                    OnApplyRedirect = ctx =>
                    {
                        if (!IsApiRequest(ctx.Request))
                        {
                            ctx.Response.Redirect(ctx.RedirectUri);
                        }
                    }
                }
            });

the setting being ".yourdomain.com" (including dot)

and all sites must be on the same protocol, you may have issue if sites can handle both http and https?

theteam · October 25, 2017, 4:21pm

Thanks for the quick response. We are using Web Forms and MVC 5 not .NET Core. We already have the same machine keys for both apps. Like I said in my original post it works to some degree, so I’m not sure that is the issue.
The test applications are hosted in separate App Services on Azure - not sure if that makes any difference.

theteam · October 25, 2017, 4:44pm

Thanks @brightertools what I meant by it works to some degree, is with reference to original post. If you click ‘Login’ on either app it calls the Auth0 login process and that recognises that the user is logged in and does not ask for any credentials. I just expected it to do that when I refresh the page.

We are using the Lock widget too, rather than the full API, so I expected that to handle everything (cookies etc). Do you think we need to add some code to both apps to use the same cookie domain?

I would have thought if that was the issue it would not work at all.

jmangelo · October 30, 2017, 9:15pm

Given that both applications are already using centralized login through the hosted login page then an end-user authentication into any of the applications is already creating an authentication session at the identity provider (your Auth0 tenant/domain) which can then be leveraged by the other application.

This is already happening to some degree because like you said when visiting the second application and going through the login process the end-user is not prompted to re-enter credentials so technically does not perform authentication a second time. However, like it is your requirement this flow can be improved so that by purely visiting the second application the end-user is automatically treated as authenticated.

In order to achieve the above you can (without requiring the user interaction) query the identity provider to see if there is an authenticated session already active and if there is your application can use the result of that query to automatically log in the end-user. **The way you achieve this is by using the Auth0.js checkSession method ** to check for the presence of that session when your application is accessed and there is not yet an authentication session.

If the outcome of the previous call is successful you obtain the end-user associated tokens without even forcing the end-user to click through login. You should have in mind that the check session call should only be performed when actually needed and code logic in your application so that not every request triggers it. For example, doing on application initial load and then only repeating it if some time already elapsed since the last call received a negative result.

theteam · October 25, 2017, 4:21pm

Thanks for the quick response. We are using Web Forms and MVC 5 not .NET Core. We already have the same machine keys for both apps. Like I said in my original post it works to some degree, so I’m not sure that is the issue.
The test applications are hosted in separate App Services on Azure - not sure if that makes any difference.

theteam · October 25, 2017, 4:44pm

Thanks @brightertools what I meant by it works to some degree, is with reference to original post. If you click ‘Login’ on either app it calls the Auth0 login process and that recognises that the user is logged in and does not ask for any credentials. I just expected it to do that when I refresh the page.

We are using the Lock widget too, rather than the full API, so I expected that to handle everything (cookies etc). Do you think we need to add some code to both apps to use the same cookie domain?

I would have thought if that was the issue it would not work at all.

theteam · October 31, 2017, 3:10pm

Thanks very much @jmangelo . We will give that a go.

Mark_Redman · October 25, 2017, 4:30pm

updated my answer… what do you mean works to some degree?

Mark_Redman · October 25, 2017, 4:53pm

ok, I am not sure about lock, sorry, we use our own custom form, check User.IsAuthenticated and setup claims etc on each request, so not sure what the “Lock” is doing in this case.

theteam · October 25, 2017, 5:43pm

Sorry, I should have mentioned that in the initial post. Thanks for trying to help anyway.