OpenIDConnect Authorization Code Flow - redeems token on IIS express but not local IIS - C#

CJM 1 Reputation point

my owin startup.cs looks like this:

string clientId = ConfigurationManager.AppSettings["ClientId"];
string clientSecret = ConfigurationManager.AppSettings["ClientSecret"];
string redirectUri = ConfigurationManager.AppSettings["RedirectUri"];
static string tenant = ConfigurationManager.AppSettings["Tenant"];
string authority = string.Format(System.Globalization.CultureInfo.InvariantCulture, ConfigurationManager.AppSettings["Authority"], tenant);

public void Configuration(IAppBuilder app)
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
        new OpenIdConnectAuthenticationOptions
            // Sets the ClientId, authority, RedirectUri as obtained from web.config
            ClientId = clientId,
            ClientSecret = clientSecret,
            Authority = authority,
            RedirectUri = redirectUri, //struggling to see the difference between RedirectUri and CallbackPath
            //CallbackPath = new PathString("/home/"), // do i need this as well?

            PostLogoutRedirectUri = redirectUri,
            Scope = OpenIdConnectScope.OpenIdProfile,

            RedeemCode = true,
            ResponseMode = OpenIdConnectResponseMode.FormPost, // do i need this?
            SaveTokens = true, // do i need this?
            UsePkce = true, // default is true

            ResponseType = OpenIdConnectResponseType.Code,
            TokenValidationParameters = new TokenValidationParameters()
                ValidateIssuer = false,

            Notifications = new OpenIdConnectAuthenticationNotifications
                AuthenticationFailed = OnAuthenticationFailed,

I don't understand why it tries to redeem the token on IIS Express and not on IIS Local. It's the same app so I am guessing it's something to do with IIS but I have no Idea what. Please help!

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,699 questions
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
9,035 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 19,946 Reputation points Microsoft Employee

    Hi @CJM ,

    Thanks for reaching out.

    ASP.Net applications generally run on IIS express. You cannot directly use IIS to host an ASP.NET Core application on IIS locally, as the development folder does not provide all of the necessary files IIS needs to host.

    In a classic ASP.NET application everything is hosted inside of an IIS Worker Process (w3wp.exe) which is the IIS Application Pool. The pool hosts your ASP.NET application and your application is instantiated by the built-in ASP.NET hosting features in IIS.

    However, for ASP.NET Core applications you can run IIS as a front-end proxy using an Out of Process model that proxies through IIS. Requests hit IIS and are forwarded to your ASP.NET Core app running the Kestrel Web Server (Reverse proxy).

    In Process hosting model on IIS which does not use Kestrel and instead uses a new Web Server implementation (IISHttpServer) that is hosted directly inside of the IIS Application Pool.

    For ASP.Net Core You can specify and update the value InProcess/OutProcess models in project configuration file under <AspNetCoreHostingModel>InProcess< /AspNetCoreHostingModel>

    ByDefault, Hosting Model specified is InProcess which host the process inside IIS Worker Process (w3wp.exe or iisexpress.exe) ,But for debugging purpose, you can specify OutProcess to run the application locally.

    Also , please refer OAuth 2.0 authorization code flow for all the required parameters and its values specified in startup.cs file.

    As asked, the redirectUri and CallbackPath both are same and can be used interchangeably to specify where authentication responses can be sent.

    and Response _mode is optional to informs the Authorization Server to be used for returning parameters from the Authorization Endpoint.



    Please remember to "Accept Answer" or Up-Vote if answer helped you.

    0 comments No comments