Anyone hosting a ASP.NET Core Secured App behind a gateway?

[johnkattenhorn]

We have we believe a cookie mis-match issue; if we browse directly to the SF hosted service we can login into a standard ASP.NET app which is using out of the box auth.

However if we try the same process via the gateway it go through the motions and there are no errors logged but the redirect to home show that the user is not authenticated.

I'm guessing that the path maybe used to generate the cookie and there is invalid when going through the gateway.

@weidazhao, @rmja - Have you done anything along these lines ?

[weidazhao]

Can you elaborate what authentication you use? If the path is involved in generating auth cookies, you should pass PathBase + Path to generate it.

[johnkattenhorn]

Apologies, I should have more explicit, we are just using the default configuration that comes with app.UseIdentity();.

I did some further research and came to a similar conclusion that it would something to do with Path or Domain on the cookie and then I found this issue which suggests maybe this is still broken aspnet/CORS#81

We are going to try this out anyways as it sort of is similar to our situation do you think ?

[johnkattenhorn]

My current working theory is something to do with the cookie, I've tried various entries of Login Path and Cookie Domain but nothing has worked so far.

@weidazhao - Could you explain a little more about PathBase+Path, how can I set this dynamically given that I'm used to setting these in the config of AddIdentity, do I need to write a little piece of middleware do you think ?

[rmja]

I had a similar issue some time ago, because cookies were not forwarded by the http client. The resolved issue is #23. Have you updated the client code with the fix?

[johnkattenhorn]

@rmja - I thought you might have had it then ....

I've just checked and I have the change that was made on the commit mentioned in #23, I also just tried adding in the snippet mentioned in the post itself although I'm guessing it a duplicate way of doing it but still not working.

It looks just like the problem described though, can I check via fiddler etc. if I still have this problem ?

I see the following on the POST to Account/Login which also has a status code of 302 ? Given that this is not my gateway url (It's current http://localhost/OpsConsole) I'm wondering if this is correct or showing signs of the problem described.

[johnkattenhorn]

This is going to sound dumb but I'm having problems hitting breakpoints inside Microsoft.ServiceFabric.AspNetCore.Gateway, I've done a bunch of googling but I get the hollow red dot and the warning of no symbols. Can anyone suggest what's wrong ?

I trying to look at the response in the middleware and I'm think about whether changing the path of the authentication cookie would help solve this issue.

It the only one we have blocking us now from doing a pilot. I've been given this weekend before I'll have to abandon the hosting option and push the site into WebApp or similar.

UPDATE: I was being dumb and debugging the wrong project ....

[johnkattenhorn]

I've resolved this issue (sort-of) by setting the CookiePath to a fixed Path like this

  services.AddIdentity<ApplicationUser, IdentityRole>(
                config => { config.Cookies.ApplicationCookie.CookiePath = new PathString("/"); })
                .AddUserStore<UserStore<ApplicationUser, ApplicationDbContext>>()
                .AddRoleStore<RoleStore<ApplicationDbContext>>()
                .AddDefaultTokenProviders();

This isn't ideal really as I think a proper fix would be to intercept the request and change the filepath somehow in the response based on the service you were redirecting too otherwise this could be a problem.

[weidazhao]

@johnkattenhorn Sorry for slow response.

It appears that the default value of CookiePath should be set to '/' already: https://github.com/aspnet/Security/blob/6294badd972882ba707216c211095474ef8c4709/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs#L62

If you had to explicitly set CookiePath to '/', it looks like a bug in Microsoft.AspNetCore.Authentication.Cookies.dll to me.

[johnkattenhorn]

Not directly related, but we've found another issue with ASP.NET Core Identity implementation behind the gateway. I've logged another issue here #39