Cookie configuration mystery using AddCookie and ConfigureApplicationCookie
#45788
Comments
|
You are mixing and matching things for generic cookie authentication (AddCookie) and things meant for asp.net identity (ConfigureApplicationCookie). Which auth are you trying to use? |
blowdart
added
the
Needs: Author Feedback
|
Hi @qui8t. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time. |
|
I am trying to use Google authNZ with built-in asp.net identity, without leveraging any external library, so my config reads as the following services
.AddIdentity<AppUser, IdentityRole>()
.AddEntityFrameworkStores<AccountDbContext>();
services.AddIdentityCore<AppUser>();
services
.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddJwtBearer()
.AddCookie(options =>
{
options.LoginPath = "/account/login";
options.Cookie.SameSite = SameSiteMode.Lax;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
})
.AddGoogle(GoogleDefaults.AuthenticationScheme, options =>
{
options.ClientId = _clientId;
options.ClientSecret = _clientSecret;
options.UsePkce = true;
options.ClaimActions.MapJsonKey(GoogleProfilePictureClaim, "picture", "url");
});
services.ConfigureApplicationCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(15);
options.SlidingExpiration = true;
});And add the following for the middleware setup. app.UseAuthentication();
app.UseAuthorization();
app.UseCookiePolicy(
new CookiePolicyOptions
{
MinimumSameSitePolicy = SameSiteMode.Lax,
Secure = CookieSecurePolicy.Always
}); |
ghost
added
Needs: Attention 👋
|
Ah got it. @HaoK how does this all hang together? |
|
@qui8t Underneath the covers all ConfigureApplicationCookie is doing is configuring the named cookie that identity sets as the default authentication scheme. Which is the "Identity.Application" cookie scheme. Your app is specifying your own cookie to use by default. Generally if you are not using the application cookie as the default scheme, you don't even to add it. Basically you should be calling EITHER AddIdentity, or AddIdentityCore. If you call the former, that adds all of the authentication cookies for identity as well. If you call AddIdentityCore, you are responsible for wiring up the authentication part of things, which by default does this: |
HaoK
added
question
and removed
Needs: Attention 👋
|
Thank you @HaoK for the elaboration. I removed services
.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddJwtBearer()
.AddCookie( /* config moved to ConfigureApplicationCookie */)
.AddGoogle(GoogleDefaults.AuthenticationScheme, options =>
{
options.ClientId = _clientId;
options.ClientSecret = _clientSecret;
options.UsePkce = true;
options.ClaimActions.MapJsonKey(GoogleProfilePictureClaim, "picture", "url");
});
services.ConfigureApplicationCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(15);
options.SlidingExpiration = true;
// moved here from AddCookie()
options.LoginPath = "/account/login";
options.Cookie.SameSite = SameSiteMode.Lax;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});With this setup, at least |
|
What do you mean loginpath is not configured properly? Its not /account/login as you expect? This is likely due to AddIdentity stomping on it. If you want to configure the cookies yourself, a better alternative might be to remove the call to AddIdentity and keep AddIdentityCore, and don't use any of the built in identity cookies, then you have full control over the authentication/cookies and you won't have to deal with stomping on cookie settings. |
|
I want the user to be redirected to the |
|
I suggest not using the identity application cookies and configuring the cookie completely yourself rather than mixing and matching your own cookies with the identity cookies |
|
I'd love to avoid mixing, though I am trying to remark upon the fact that I can not implement the use-case I mentioned without mixing and matching them. It seems some functionality is available in one and some in the other. Please refer to my first post, and I am happy to elaborate if needed. |
As my understanding, you should remove .AddIdentity<AppUser, IdentityRole>() and replace with .AddIdentityCore instead, then try your login path again. |
HaoK
added
the
✔️ Resolution: Answered
|
This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes. See our Issue Management Policies for more information. |
ghost
locked as resolved and limited conversation to collaborators
and others
I am confused how to set the cookie options, it seems some options are effective only if set using
AddCookieand some others if set usingConfigureApplicationCookie. For example,LoginPathwould be effective only if set inAddCookie:ExpireTimeSpanwould be effective only if set inConfigureApplicationCookie:The text was updated successfully, but these errors were encountered: