I am very new to OWIN :). I am trying to have a page with an open public area which will allow anonymous over HTTP, and then a restricted section which will require authentication. I'd like not to force the entire site to be HTTPS for general users.
The issue I have is that I receive the following loop:
I have tried 3 ways of intercepting the redirect in OWIN but nothing seems to work.
If I begin the session by browsing to https://example.com/ then click on the link to authenticatedPage, then the login works as I expect. i.e.
Is there anyway to fix this without marking my whole site as requiring SSL?
The problem is the referrer set by the OIDC middleware in your application. What happens is this:
There are multiple solutions to this such as enforcing SSL only, overloading the Authorize attribute and setting the CookieSecure flag to CookieSecureOption.Never (don't do this). 
The option I prefer is to fix the Referrer in the middleware itself as such:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = ...
    ClientId = ...
    RedirectUri = "https://foo.bar"
    ResponseType = "id_token",
    Scope = "openid profile",      
    SignInAsAuthenticationType = "Cookies",
    // Deal with the returning tokens
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        AuthorizationCodeReceived = async n =>
        {
            // Enforce the reference/redirect to be HTTPS
            var builder = new UriBuilder(n.AuthenticationTicket.Properties.RedirectUri);
            builder.Scheme = "https";
            builder.Port = 443;
            n.AuthenticationTicket.Properties.RedirectUri = builder.ToString();
        }
    }
});
What this does is rewrite the HTTP on the Referrer URL to HTTPS. This way if the user enters the app on HTTP, he'll be automatically redirected to a HTTPS version after using it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With