Cookie based authentication in .NET 6 Core API using Identity

[sohaibameenpk007]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Hello Everyone,

I have created a new .NET Core API project in .NET 6 and implemented Cookie authentication using Identity.

I have created the method below to create cookie

public async Task GenerateCookieAuthentication(string username)
{
    var claims = await GetClaims(username);

    AuthenticationProperties authProperties = new AuthenticationProperties
    {
        IsPersistent = true
    };

    ClaimsIdentity identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);

    ClaimsPrincipal pricipal = new ClaimsPrincipal(identity);

    await _httpContext.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, pricipal, authProperties);
}

I have added configuration in program.cs

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
   .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
   {

      options.CookieName = "MyCookieName";
      options.Cookie.HttpOnly = false;
       options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
       options.Cookie.SameSite = SameSiteMode.None;
       options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
       options.SlidingExpiration = true;
   });

System create multiple cookies ".AspNetCore.Identity.Application" and my ".MyCookieName" which seems strange to me because it should only create one cookie. There are couple of problems that I have to report

1- Multiple Cookies are being generated

2- If I pass my cookie ".MyCookieName" to be authorized then request is not being authorized because it does not have the claims in it but it works fine with ".AspNetCore.Identity.Application" since it has the claims.

3- I can not change the name of ".AspNetCore.Identity.Application" cookie and the expiration time remains 14 days

4- API returns 404 in case if request is not authorized but it should return 401

Please review this and provide your feedback just to see where do I doing things wrong.

Best,
Sohaib

Expected Behavior

1- One cookie should be created with proper name, expiration time and claims in it which can be authorized properly.
2- API should return 401 instead of 404 when request is not authorized.

Steps To Reproduce

Exceptions (if any)

.NET Version

.NET 6

Anything else?

[Tratcher]

You say you're using Identity, but only show Cookie auth above. Please show the rest of your auth setup. ".AspNetCore.Identity.Application" comes from AddIdentity. You likely have overlapping auth scheme names between components.

[ghost]

Hi @sohaibameenpk007. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[sohaibameenpk007]

You say you're using Identity, but only show Cookie auth above. Please show the rest of your auth setup. ".AspNetCore.Identity.Application" comes from AddIdentity. You likely have overlapping auth scheme names between components.

Hi @Tratcher can you further explain about the auth setup please?
I am working with .NET Identity and using old membership tables with it by implementing custom functionality so that would be great if you can further explain it to me. Thanks

[Tratcher]

Please share the rest of your application setup code, especially the part that sets up Identity.

[sohaibameenpk007]

@Tratcher Alright, I have followed this code example to generate cookies which I have uploaded on this link. Please download it and review it to provide your feedback.
'https://file.io/viSK5583bXBO'

[Tratcher]

The relevant part of your setup:

            services.AddIdentity<IdentityUser, IdentityRole>(options => options.SignIn.RequireConfirmedAccount = true)
                .AddEntityFrameworkStores<ApplicationDbContext>();

            services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
                .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
                {
                    options.SlidingExpiration = true;
                    options.ExpireTimeSpan = new TimeSpan(0, 1, 0);
                });

AddIdentity already calls AddCookie, you don't need to call it again.

aspnetcore/src/Identity/Core/src/IdentityServiceCollectionExtensions.cs

Lines 53 to 66 in ba3c78b

	services.AddAuthentication(options =>
	{
	options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
	options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
	options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
	})
	.AddCookie(IdentityConstants.ApplicationScheme, o =>
	{
	o.LoginPath = new PathString("/Account/Login");
	o.Events = new CookieAuthenticationEvents
	{
	OnValidatePrincipal = SecurityStampValidator.ValidatePrincipalAsync
	};
	})

When calling SignInAsync use IdentityConstants.ApplicationScheme.