OpenIDConnect Authorization Code Flow - redeems token on IIS express but not local IIS - C# asp.net

CJM 1 Reputation point
2022-01-22T16:45:43.083+00:00

my owin startup.cs looks like this:

string clientId = ConfigurationManager.AppSettings["ClientId"];
string clientSecret = ConfigurationManager.AppSettings["ClientSecret"];
string redirectUri = ConfigurationManager.AppSettings["RedirectUri"];
static string tenant = ConfigurationManager.AppSettings["Tenant"];
string authority = string.Format(System.Globalization.CultureInfo.InvariantCulture, ConfigurationManager.AppSettings["Authority"], tenant);

public void Configuration(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Sets the ClientId, authority, RedirectUri as obtained from web.config
            ClientId = clientId,
            ClientSecret = clientSecret,
            Authority = authority,
            RedirectUri = redirectUri, //struggling to see the difference between RedirectUri and CallbackPath
            //CallbackPath = new PathString("/home/"), // do i need this as well?

            PostLogoutRedirectUri = redirectUri,
            Scope = OpenIdConnectScope.OpenIdProfile,

            RedeemCode = true,
            ResponseMode = OpenIdConnectResponseMode.FormPost, // do i need this?
            SaveTokens = true, // do i need this?
            UsePkce = true, // default is true

            ResponseType = OpenIdConnectResponseType.Code,
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = false,
            },

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = OnAuthenticationFailed,
            },
        }
    );
}

I don't understand why it tries to redeem the token on IIS Express and not on IIS Local. It's the same app so I am guessing it's something to do with IIS but I have no Idea what. Please help!

C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,938 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,803 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,751 Reputation points Microsoft Employee
    2022-01-25T10:52:23.327+00:00

    Hi @CJM ,

    Thanks for reaching out.

    ASP.Net applications generally run on IIS express. You cannot directly use IIS to host an ASP.NET Core application on IIS locally, as the development folder does not provide all of the necessary files IIS needs to host.

    In a classic ASP.NET application everything is hosted inside of an IIS Worker Process (w3wp.exe) which is the IIS Application Pool. The pool hosts your ASP.NET application and your application is instantiated by the built-in ASP.NET hosting features in IIS.

    However, for ASP.NET Core applications you can run IIS as a front-end proxy using an Out of Process model that proxies through IIS. Requests hit IIS and are forwarded to your ASP.NET Core app running the Kestrel Web Server (Reverse proxy).

    In Process hosting model on IIS which does not use Kestrel and instead uses a new Web Server implementation (IISHttpServer) that is hosted directly inside of the IIS Application Pool.

    For ASP.Net Core You can specify and update the value InProcess/OutProcess models in project configuration file under <AspNetCoreHostingModel>InProcess< /AspNetCoreHostingModel>

    ByDefault, Hosting Model specified is InProcess which host the process inside IIS Worker Process (w3wp.exe or iisexpress.exe) ,But for debugging purpose, you can specify OutProcess to run the application locally.

    Also , please refer OAuth 2.0 authorization code flow for all the required parameters and its values specified in startup.cs file.

    As asked, the redirectUri and CallbackPath both are same and can be used interchangeably to specify where authentication responses can be sent.

    and Response _mode is optional to informs the Authorization Server to be used for returning parameters from the Authorization Endpoint.

    Thanks,
    Shweta

    -----------------------------------------------------------------

    Please remember to "Accept Answer" or Up-Vote if answer helped you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.