Auth0 ASP.Net.Owin SSO Validate cookie cross domain

I am trying to setup SSO on my ASP.NET apps on the same domain using Auth0 & OWIN. I used the following tutorial to setup my Owin Context: Auth0 ASP.NET (OWIN) SDK Quickstarts: Login

I configured the Auth0 cookie with a name & Domain with the CookieAuthenticationOptions in startup.cs:

         string auth0Domain = ConfigurationManager.AppSettings"auth0:Domain"];
        string auth0ClientId = ConfigurationManager.AppSettings"auth0:ClientId"];
        string auth0ClientSecret = 

         ConfigurationManager.AppSettings"auth0:ClientSecret"];
        // Enable Kentor Cookie Saver middleware
        app.UseKentorOwinCookieSaver();
        // Set Cookies as default authentication type
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            //Add Cross domain
            CookieName = "sso.example.com",
            CookieDomain = ".example.com",
            AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
            LoginPath = new PathString("/Account/Login")
        });

My Auth0 Configuration:

                var options = new Auth0AuthenticationOptions()
    {
        Domain = auth0Domain,
        ClientId = auth0ClientId,
        ClientSecret = auth0ClientSecret,
        Provider = new Auth0AuthenticationProvider
        {

                OnAuthenticated = context =>
                {
                    // Get the user's country
                    JToken countryObject = context.User"https://example.com/geoip"];
                    if (countryObject != null)
                    {
                        string countryCode = countryObject"country_code"].ToObject<string>();
                        string Lat = countryObject"latitude"].ToObject<string>();
                        string Long = countryObject"longitude"].ToObject<string>();
                        string City = countryObject"city_name"].ToObject<string>();
                        string Country = countryObject"country_name"].ToObject<string>();

                        context.Identity.AddClaim(new Claim("country_code", countryCode, ClaimValueTypes.String, context.Connection));
                        context.Identity.AddClaim(new Claim("country_name", Country, ClaimValueTypes.String, context.Connection));
                        context.Identity.AddClaim(new Claim("city_name", City, ClaimValueTypes.String, context.Connection));
                        context.Identity.AddClaim(new Claim("longitude", Long, ClaimValueTypes.String, context.Connection));
                        context.Identity.AddClaim(new Claim("latitude", Lat, ClaimValueTypes.String, context.Connection));
                    }
                    JToken userMeta = context.User"https://example.com/user_metadata"];
                    if (userMeta != null)
                    {
                        string companyName = userMeta"company"].ToObject<string>();
                        context.Identity.AddClaim(new Claim("company", companyName, ClaimValueTypes.String, context.Connection));
                        string fullName = userMeta"full_name"].ToObject<string>();
                        context.Identity.AddClaim(new Claim("full_name", fullName, ClaimValueTypes.String, context.Connection));
                    }

                    JToken rolesObject = context.User"https://example.com/app_metadata"];
                    if (rolesObject != null)
                    {
                        string] roles = rolesObject"roles"].ToObject<string]>();
                        foreach (var role in roles)
                        {
                            context.Identity.AddClaim(new Claim(ClaimTypes.Role, role, ClaimValueTypes.String, context.Connection));
                        }
                    }

                    return Task.FromResult(0);
                }
            }

        };
        options.Scope.Add("openid profile"); // Request a refresh_token

How would I go about authenticating the client on the secondary application (subdomain) by using the cookie, and only if the cookie is not valid, proceed to the Auth0 login page? The Cookie is available on the subdomain but I still have to go through the login proccess with Auth0. Am I missing something? Or is there an article I can read about the implimentation? Any advice would be greatly appreciated!!

1 Like

Your setup appears to be correct, and as long as your cookie settings are the same in both applications, all should work fine.
That being said, this is really not so much an Auth0 issue, as it is an ASP.NET issue. The important part is your OWIN Cookie middleware configuration, so I think that if you run into issues you may have better luck also asking this question on a site like StackOverflow.

@jerrie1 Thanks for the comment! I am pretty new to this, and would just like to confirm that when I fiddle with OWIN to try and resolve this, I will do it in OWIN config section where I name the Cookie etc and not the Auth0 section.

@jacques.bronkhorst Yes, the important part is the cookie and the cookie middleware. As long as the cookie is recognised as valid by both applications, then the Auth0 authentication should not have to be invoked.

For what you are trying to achieve, the Auth0 configuration does not play a role.

@jerri1 YOU SIR! Are a scholar and a gentleman! Thanks for the assist, much appreciated.

Dit is 'n plesier :slight_smile:

Just to provide some closure. I resolved this by copying the same startup.cs on both apps, and adding a machine key to the root Web Config file, in the system.web tag.
I generated the machine key using this url: ASP.NET Machine Key Generator - developer Fusion

Nothing changed from my initial configuration, I just changed the domain names to my domain. And here is the link to the question on StackOverflow Auth0 ASP.Net.Owin SSO Validate cookie cross domain - Stack Overflow

1 Like