aspnet / aspnetkatana Goto Github PK

Microsoft's OWIN implementation, the Katana project

License: Apache License 2.0

Batchfile 0.34% C# 84.72% CSS 0.23% JavaScript 4.57% Smalltalk 0.39% PowerShell 5.05% C 0.01% C++ 0.01% HTML 1.69% ASP.NET 0.03% Shell 2.72% CMake 0.27%

aspnetkatana's People

Contributors

Stargazers

Watchers

Forkers

jesubu damianh zeroinfinite nongzhsh balder1840 akrisiun felixanna filmoch dcomartin serialseb smartpcr shenhx lordjz brucehu123 davidstange vrudakovskiy joseph2013 lovemaths jerrylicode comelate jthelin zxdgg lanmaodream brookstudio tfreitasleal applebit pradsin kodofish-forks elainte thiagoaparecido ranaictiu forcat dalyl geoffarmstrong huangskar toubias ingentechnologies michaelaivanova ri-ch lcksy bilengleng t-smirnov kd0526 lv-conner kevinheader vasistbhargav kouweizhong rosandodesouza parhelia512 gpratik zeguimoko josephgardner sergius1305 minimonsters juliansuringa ahua10210 richardcha interceptop hanabi1224 michaelkramer anseltis tpj633 jsk13041980-git rennix09 adwardliu kshahzad7 brian-knoll-micronetonline rickbutton liyg02 maxcherednik chrispatrick sudheer469 lizhanglong angleszhaixd tecdevel bravechou guojianbin kanuo-z markskiba zhanglong19891129 grifterink craznail ape-box pofman ademodemo chenzhen0592 zanhaipeng weidk valter479 leonardlabat colinbate amccool dp-huang fightx yldgio gdnyfcuso xw-fighting cd37ycs sunshine-tea jobjingjo

aspnetkatana's Issues

CookieAuthenticationHandler, in case using SessionStore, cookieOptions.Expires is not set on renewal

I think I found an issue in Microsoft.Owin.Security.Cookies.CookieAuthenticationHandler class, method ApplyResponseGrantAsync. There is a line (within "else if (_shouldRenew)" block) of where cookieOptions.Expires property is set if model.Properties.IsPersistent is true. The problem is that, in case of using a SessionStore, model.Properties.IsPersistent is always false, because in that case model is assigned a new instance with clean options.
So the cookie send to the browser is now a session cookie and when the browser is closed and reopened, the user must login again.

See also the ASP.NET core repository: aspnet/Security#973
There they have already fixed the issue. But that does not help me, as I am still using this library.
Hopyfully it will be fixed here also

Support NetStandard 1.6

Use case: easy porting of lots of existing code without having to rewrite entire applications.

Would be happy to attempt a PR.

How can I have access to the metadata to know the endpoints?

I have implemented all Notifications, but I cant find the metadata info in the "context" object, how can I obtain this metadata information?

Notifications = new OpenIdConnectAuthenticationNotifications()
{                        
    RedirectToIdentityProvider = (context) =>
    {
        Debug.WriteLine("*** RedirectToIdentityProvider");
        return Task.FromResult(0);
    },
    MessageReceived = (context) =>
    {
        Debug.WriteLine("*** MessageReceived");
        return Task.FromResult(0);
    },
    SecurityTokenReceived = (context) =>
    {
        Debug.WriteLine("*** SecurityTokenReceived");
        return Task.FromResult(0);
    },
    SecurityTokenValidated = (context) =>
    {        
        Debug.WriteLine("*** SecurityTokenValidated");
        return Task.FromResult(0);
    },
    AuthorizationCodeReceived = (context) =>
    {
        Debug.WriteLine("*** AuthorizationCodeReceived");
        return Task.FromResult(0);
    },
    AuthenticationFailed = (context) =>
    {
        Debug.WriteLine("*** AuthenticationFailed");
        return Task.FromResult(0);
    },
}

Clarify License

Is this the official repository for Microsoft.Owin.Host.HttpListener?
https://www.nuget.org/packages/Microsoft.Owin.Host.HttpListener/

Can you clarify the license? The NuGet repository shows this license file: http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm

The Git repository shows an Apache license: http://www.apache.org/licenses/LICENSE-2.0

As an aside, NuGet package also points to an old repository on CodePlex, that should be fixed too. I'm not 100% comfortable that the Git site IS the correct repository.

Update IdentityModel dependency to v5

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/472/files#diff-04c6e90faac2675aa89e2176d2eec7d8R9
"+IdentityModel Extensions for .NET 5 has now been released. If you are using IdentityModel Extensions with ASP.NET, the following combinations are supported:
+* IdentityModel Extensions for .NET 4.x and ASP.NET 4
+* IdentityModel Extensions for .NET 5.x and ASP.NET Core 1.x
+All other combinations aren't supported."

Migration notes:

Requires updating from .NET 4.5 to .NET 4.5.1 - Not a blocker
Missing TokenValidationParameters.IssuerSigningTokens - Use IssuerSigningKeys
Missing Microsoft.IdentityModel.Protocols.WsFederation - Won't be available until at least March. Consider shipping alpha1 without WsFed. This would also block Ms.O.Security.ActiveDirectory as those middleware are WsFed based.
Update Newtonsoft.Json to at least 9.0.1

https://katanaproject.codeplex.com/workitem/464

Twitter authentication middleware does not call the correct authenticate endpoint

Repro:

Set up site with twitter auth using middleware
Attempt to log into said site with twitter on Android device with twitter installed
Twitter full client launches

This is caused by the redirect uri being set to https://twitter.com instead of https://api.twitter.com

The default https://twitter.com uri is used by the deep linking functionality of the app. This causes the app to handle the authentication request, instead of the browser, then after auth, the webview embedded in the twitter app takes over, and can not locate your redirect target.

The solution is to prefix the twitter.com domain with api. in this line https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.Twitter/TwitterAuthenticationHandler.cs#L25 just like the other calls,
or to allow the user to override the root domains via configuration.

Reference:
https://dev.twitter.com/oauth/reference/get/oauth/authenticate note the Resource url

100% CPU In Owin Thread On Self Hosted WebAPI

On Examining the threads which were taking high CPU, it was found out that all of those threads are stuck in accessing a Dictionary.

Here is WinDBG CLRStack of all High CPU Taking Threads

Loading Dump File [E:\Shared\Logs\100%CPUYogi\3CLogicStarter_6.dmp]
User Mini Dump File with Full Memory: Only application data is available

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred symsrvsymsrv.dllE:\SymbolsE:\PDBshttp://msdl.microsoft.com/download/symbols
Symbol search path is: symsrvsymsrv.dllE:\SymbolsE:\PDBshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8.1 Version 9600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS Personal
Built by: 6.3.9600.18217 (winblue_ltsb.160124-0053)
Machine Name:
Debug session time: Wed May 17 17:51:06.000 2017 (UTC + 5:30)
System Uptime: 0 days 1:26:27.672
Process Uptime: 0 days 1:01:33.000
................................................................
................................................................
...........
Loading unloaded module list
.........
*** ERROR: Symbol file could not be found. Defaulted to export symbols for KERNELBASE.dll -
eax=0000008c ebx=00000001 ecx=00000000 edx=00000000 esi=00000002 edi=00000002
eip=7761c7ec esp=00a3cc68 ebp=00a3cdf0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtWaitForMultipleObjects+0xc:
7761c7ec c21400 ret 14h
0:000> .loadby sos clr
0:000> !runaway
User Mode Time
Thread Time
42:55c 0 days 0:09:36.109
39:1d44 0 days 0:09:35.687
40:147c 0 days 0:02:43.062
41:1cc8 0 days 0:02:42.593
8:1388 0 days 0:00:08.687
20:1734 0 days 0:00:05.218
0:e50 0 days 0:00:03.109
4:6d4 0 days 0:00:02.328
36:1198 0 days 0:00:01.390
21:1764 0 days 0:00:01.234
14:16c4 0 days 0:00:01.187
12:1924 0 days 0:00:00.593
32:1bd4 0 days 0:00:00.468
44:1c90 0 days 0:00:00.359
16:1700 0 days 0:00:00.328
24:df0 0 days 0:00:00.296
43:1f60 0 days 0:00:00.281
26:1948 0 days 0:00:00.265
45:16e0 0 days 0:00:00.234
46:1664 0 days 0:00:00.218
25:16a0 0 days 0:00:00.218
31:10e4 0 days 0:00:00.203
28:15e0 0 days 0:00:00.187
27:11f8 0 days 0:00:00.156
30:b4 0 days 0:00:00.140
29:1590 0 days 0:00:00.125
22:16a4 0 days 0:00:00.109
2:5ec 0 days 0:00:00.093
38:1978 0 days 0:00:00.078
47:1254 0 days 0:00:00.062
48:8f4 0 days 0:00:00.031
52:1b3c 0 days 0:00:00.015
51:16d4 0 days 0:00:00.015
23:15ec 0 days 0:00:00.015
19:1ba4 0 days 0:00:00.015
50:1c98 0 days 0:00:00.000
49:132c 0 days 0:00:00.000
37:14d8 0 days 0:00:00.000
35:1b6c 0 days 0:00:00.000
34:1b98 0 days 0:00:00.000
33:918 0 days 0:00:00.000
18:a0c 0 days 0:00:00.000
17:16ec 0 days 0:00:00.000
15:158 0 days 0:00:00.000
13:92c 0 days 0:00:00.000
11:1750 0 days 0:00:00.000
10:2d8 0 days 0:00:00.000
9:858 0 days 0:00:00.000
7:a58 0 days 0:00:00.000
6:1264 0 days 0:00:00.000
5:1178 0 days 0:00:00.000
3:1644 0 days 0:00:00.000
1:1614 0 days 0:00:00.000
0:000> ~40s
eax=00000000 ebx=02a90fd8 ecx=00000003 edx=128a17cc esi=030e5a80 edi=030e8ce8
eip=737e6eb9 esp=05cae7a0 ebp=05cae7c4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mscorlib_ni+0x366eb9:
737e6eb9 3b45f0 cmp eax,dword ptr [ebp-10h] ss:002b:05cae7b4=3c3317dd
0:040> !CLRStack
OS Thread Id: 0x147c (40)
Child SP IP Call Site
05cae7a0 737e6eb9 System.Collections.Generic.Dictionary2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].Insert(System.__Canon, System.__Canon, Boolean) 05cae7d4 737d9beb System.Collections.Generic.Dictionary2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].set_Item(System.__Canon, System.__Canon)
05cae7dc 0d4cb95f Microsoft.Owin.Host.HttpListener.RequestProcessing.CallEnvironment.set_Item(System.String, System.Object)
05cae7f0 0d5499a0 Microsoft.Owin.OwinRequest.Set[[System.__Canon, mscorlib]](System.String, System.__Canon)
05cae808 0d54995f Microsoft.Owin.Security.Infrastructure.OwinRequestExtensions.RegisterAuthenticationHandler(Microsoft.Owin.IOwinRequest, Microsoft.Owin.Security.Infrastructure.AuthenticationHandler)
05cae824 0d549632 Microsoft.Owin.Security.Infrastructure.AuthenticationHandler+d__0.MoveNext()
05cae85c 0d54952f System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.Owin.Security.Infrastructure.AuthenticationHandler+d__0, Microsoft.Owin.Security]](d__0 ByRef)
05cae8b4 0d5494c3 Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.BaseInitializeAsync(Microsoft.Owin.Security.AuthenticationOptions, Microsoft.Owin.IOwinContext)
05cae90c 0d549437 Microsoft.Owin.Security.Infrastructure.AuthenticationHandler1[[System.__Canon, mscorlib]].Initialize(System.__Canon, Microsoft.Owin.IOwinContext) 05cae918 0d549093 Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]].MoveNext()
05cae950 0d548fe3 System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]], Microsoft.Owin.Security]](d__0 ByRef) 05cae9b0 0d548f66 System.Runtime.CompilerServices.AsyncTaskMethodBuilder1[[System.Threading.Tasks.VoidTaskResult, mscorlib]].Start[[Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]], Microsoft.Owin.Security]](d__0 ByRef) 05cae9cc 0d548f0c System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]], Microsoft.Owin.Security]](d__0 ByRef)
05cae9e4 0d548eb1 Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1[[System.__Canon, mscorlib]].Invoke(Microsoft.Owin.IOwinContext) 05caea38 0d4cc777 Microsoft.Owin.Infrastructure.OwinMiddlewareTransition.Invoke(System.Collections.Generic.IDictionary2)
05caea4c 0d548c87 Microsoft.Owin.Mapping.MapMiddleware+d__0.MoveNext()
05caea94 0d548a5f System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.Owin.Mapping.MapMiddleware+d__0, Microsoft.Owin]](d__0 ByRef)
05caeaec 0d5489f5 Microsoft.Owin.Mapping.MapMiddleware.Invoke(System.Collections.Generic.IDictionary2) 05caeb44 0d54896d Microsoft.Owin.Cors.CorsMiddleware.HandleCorsRequestAsync(Microsoft.Owin.IOwinContext, System.Web.Cors.CorsPolicy, System.Web.Cors.CorsRequestContext) 05caeb60 0d4ced52 Microsoft.Owin.Cors.CorsMiddleware+d__0.MoveNext() 05caeb98 0d4ce697 System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.Owin.Cors.CorsMiddleware+d__0, Microsoft.Owin.Cors]](d__0 ByRef) 05caebf0 0d4ce495 Microsoft.Owin.Cors.CorsMiddleware.Invoke(System.Collections.Generic.IDictionary2)
05caec48 0d4ce3c7 Microsoft.Owin.Infrastructure.AppFuncTransition.Invoke(Microsoft.Owin.IOwinContext)
05caec54 0d4cdc34 WebAstra.Shared.Rest.RestPreProcessor+d__6.MoveNext()
05caec84 737f8de3 System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.InvokeMoveNext(System.Object)
05caec8c 737d0d07 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
05caecf8 737d0c56 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
05caed0c 737f493f System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.Run()
05caed3c 737f8d33 System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction(System.Action, Boolean, System.Threading.Tasks.Task ByRef)
05caed68 737c01f6 System.Threading.Tasks.Task.FinishContinuations()
05caedb4 737bff08 System.Threading.Tasks.Task.FinishStageThree()
05caedc0 737f51bb System.Threading.Tasks.Task.FinishStageTwo()
05caede8 737f5070 System.Threading.Tasks.Task.Finish(Boolean)
05caee14 737f4bbd System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef)
05caee78 737f4ac3 System.Threading.Tasks.Task.ExecuteEntry(Boolean)
05caee88 737f4a0f System.Threading.Tasks.Task.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
05caee8c 73795269 System.Threading.ThreadPoolWorkQueue.Dispatch()
05caeedc 73795115 System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()
05caf100 745d2372 [DebuggerU2MCatchHandlerFrame: 05caf100]
05caf16c 745d2372 [ContextTransitionFrame: 05caf16c]
05caf2f4 745d2372 [DebuggerU2MCatchHandlerFrame: 05caf2f4]
0:040> ~42s
eax=00000000 ebx=00000003 ecx=127ede24 edx=02eb5aa0 esi=02eb57c0 edi=00000000
eip=737e9cd8 esp=0ef2e148 ebp=0ef2e164 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mscorlib_ni+0x369cd8:
737e9cd8 3b45f0 cmp eax,dword ptr [ebp-10h] ss:002b:0ef2e154=3c850816
0:042> !CLRStack
OS Thread Id: 0x55c (42)
Child SP IP Call Site
0ef2e148 737e9cd8 System.Collections.Generic.Dictionary2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].FindEntry(System.__Canon) 0ef2e16c 737eac6d System.Collections.Generic.Dictionary2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].TryGetValue(System.__Canon, System.__Canon ByRef)
0ef2e17c 0d4cafdb Microsoft.Owin.Host.HttpListener.RequestProcessing.CallEnvironment.TryGetValue(System.String, System.Object ByRef)
0ef2e190 0d5a3acc System.Collections.Generic.DictionaryExtensions.TryGetValue[[System.__Canon, mscorlib]](System.Collections.Generic.IDictionary2, System.String, System.__Canon ByRef) 0ef2e1ac 0d5a3a54 System.Web.Http.Owin.OwinRequestExtensions.DisableBuffering(Microsoft.Owin.IOwinRequest) 0ef2e1bc 0d5a2a97 System.Web.Http.Owin.HttpMessageHandlerAdapter+d__0.MoveNext() 0ef2e24c 0d5a1def System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[System.Web.Http.Owin.HttpMessageHandlerAdapter+d__0, System.Web.Http.Owin]](d__0 ByRef) 0ef2e2a4 0d5a1c19 System.Web.Http.Owin.HttpMessageHandlerAdapter.InvokeCore(Microsoft.Owin.IOwinContext, Microsoft.Owin.IOwinRequest, Microsoft.Owin.IOwinResponse) 0ef2e31c 0d5a18e2 System.Web.Http.Owin.HttpMessageHandlerAdapter.Invoke(Microsoft.Owin.IOwinContext) 0ef2e330 0d4cc777 Microsoft.Owin.Infrastructure.OwinMiddlewareTransition.Invoke(System.Collections.Generic.IDictionary2)
0ef2e344 0d54e833 SqueezeMe.CompressionStrategies.DirectCompressionStrategy+d__0.MoveNext()
0ef2e3d8 73f6cf7f System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[System.__Canon, mscorlib]](System.__Canon ByRef)
0ef2e434 73fe48cd System.Runtime.CompilerServices.AsyncTaskMethodBuilder1[[System.Threading.Tasks.VoidTaskResult, mscorlib]].Start[[System.__Canon, mscorlib]](System.__Canon ByRef) 0ef2e450 73f7030f System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[System.__Canon, mscorlib]](System.__Canon ByRef) 0ef2e468 0d54e4c8 SqueezeMe.CompressionStrategies.DirectCompressionStrategy.Compress(System.Func2,System.Threading.Tasks.Task>, Microsoft.Owin.OwinContext, SqueezeMe.ICompressor, System.IO.Stream)
0ef2e4b4 0d54bfcc SqueezeMe.CompressionMiddleware+d__5.MoveNext()
0ef2e53c 73f6cf7f System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[System.__Canon, mscorlib]](System.__Canon ByRef)
0ef2e598 73fe48cd System.Runtime.CompilerServices.AsyncTaskMethodBuilder1[[System.Threading.Tasks.VoidTaskResult, mscorlib]].Start[[System.__Canon, mscorlib]](System.__Canon ByRef) 0ef2e5b4 73f7030f System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[System.__Canon, mscorlib]](System.__Canon ByRef) 0ef2e5cc 0d54bd56 SqueezeMe.CompressionMiddleware.Invoke(System.Collections.Generic.IDictionary2)
0ef2e60c 0d4ce3c7 Microsoft.Owin.Infrastructure.AppFuncTransition.Invoke(Microsoft.Owin.IOwinContext)
0ef2e618 0d549222 Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]].MoveNext() 0ef2e650 737f8de3 System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.InvokeMoveNext(System.Object) 0ef2e658 737d0d07 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) 0ef2e6c4 737d0c56 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) 0ef2e6d8 737f493f System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.Run() 0ef2e708 737f8d33 System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction(System.Action, Boolean, System.Threading.Tasks.Task ByRef) 0ef2e734 737c01f6 System.Threading.Tasks.Task.FinishContinuations() 0ef2e780 737bff08 System.Threading.Tasks.Task.FinishStageThree() 0ef2e78c 737f3950 System.Threading.Tasks.Task1[[System.Boolean, mscorlib]].TrySetResult(Boolean)
0ef2e79c 737f38d1 System.Runtime.CompilerServices.AsyncTaskMethodBuilder1[[System.Boolean, mscorlib]].SetResult(Boolean) 0ef2e7b4 0d549e32 WebAstra.Shared.Rest.RestAuthenticationHandler+d__1.MoveNext() 0ef2e7e4 737f8de3 System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.InvokeMoveNext(System.Object) 0ef2e7ec 737d0d07 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) 0ef2e858 737d0c56 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) 0ef2e86c 737f493f System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.Run() 0ef2e89c 737f8d33 System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction(System.Action, Boolean, System.Threading.Tasks.Task ByRef) 0ef2e8c8 737c01f6 System.Threading.Tasks.Task.FinishContinuations() 0ef2e914 737bff08 System.Threading.Tasks.Task.FinishStageThree() 0ef2e920 737f51bb System.Threading.Tasks.Task.FinishStageTwo() 0ef2e948 737f5070 System.Threading.Tasks.Task.Finish(Boolean) 0ef2e974 737f4bbd System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef) 0ef2e9d8 737f4ac3 System.Threading.Tasks.Task.ExecuteEntry(Boolean) 0ef2e9e8 737f4a0f System.Threading.Tasks.Task.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem() 0ef2e9ec 73795269 System.Threading.ThreadPoolWorkQueue.Dispatch() 0ef2ea3c 73795115 System.Threading._ThreadPoolWaitCallback.PerformWaitCallback() 0ef2ec60 745d2372 [DebuggerU2MCatchHandlerFrame: 0ef2ec60] 0ef2eccc 745d2372 [ContextTransitionFrame: 0ef2eccc] 0ef2ee54 745d2372 [DebuggerU2MCatchHandlerFrame: 0ef2ee54] 0:042> !runaway User Mode Time Thread Time 42:55c 0 days 0:09:36.109 39:1d44 0 days 0:09:35.687 40:147c 0 days 0:02:43.062 41:1cc8 0 days 0:02:42.593 8:1388 0 days 0:00:08.687 20:1734 0 days 0:00:05.218 0:e50 0 days 0:00:03.109 4:6d4 0 days 0:00:02.328 36:1198 0 days 0:00:01.390 21:1764 0 days 0:00:01.234 14:16c4 0 days 0:00:01.187 12:1924 0 days 0:00:00.593 32:1bd4 0 days 0:00:00.468 44:1c90 0 days 0:00:00.359 16:1700 0 days 0:00:00.328 24:df0 0 days 0:00:00.296 43:1f60 0 days 0:00:00.281 26:1948 0 days 0:00:00.265 45:16e0 0 days 0:00:00.234 46:1664 0 days 0:00:00.218 25:16a0 0 days 0:00:00.218 31:10e4 0 days 0:00:00.203 28:15e0 0 days 0:00:00.187 27:11f8 0 days 0:00:00.156 30:b4 0 days 0:00:00.140 29:1590 0 days 0:00:00.125 22:16a4 0 days 0:00:00.109 2:5ec 0 days 0:00:00.093 38:1978 0 days 0:00:00.078 47:1254 0 days 0:00:00.062 48:8f4 0 days 0:00:00.031 52:1b3c 0 days 0:00:00.015 51:16d4 0 days 0:00:00.015 23:15ec 0 days 0:00:00.015 19:1ba4 0 days 0:00:00.015 50:1c98 0 days 0:00:00.000 49:132c 0 days 0:00:00.000 37:14d8 0 days 0:00:00.000 35:1b6c 0 days 0:00:00.000 34:1b98 0 days 0:00:00.000 33:918 0 days 0:00:00.000 18:a0c 0 days 0:00:00.000 17:16ec 0 days 0:00:00.000 15:158 0 days 0:00:00.000 13:92c 0 days 0:00:00.000 11:1750 0 days 0:00:00.000 10:2d8 0 days 0:00:00.000 9:858 0 days 0:00:00.000 7:a58 0 days 0:00:00.000 6:1264 0 days 0:00:00.000 5:1178 0 days 0:00:00.000 3:1644 0 days 0:00:00.000 1:1614 0 days 0:00:00.000 0:042> ~41s eax=00000000 ebx=00000003 ecx=128a17cc edx=030e8ce8 esi=030e5a80 edi=00000000 eip=737e9cd8 esp=0e67e4f8 ebp=0e67e514 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 mscorlib_ni+0x369cd8: 737e9cd8 3b45f0 cmp eax,dword ptr [ebp-10h] ss:002b:0e67e504=3c850816 0:041> !CLRStack OS Thread Id: 0x1cc8 (41) Child SP IP Call Site 0e67e4f8 737e9cd8 System.Collections.Generic.Dictionary2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].FindEntry(System.__Canon)
0e67e51c 737eac6d System.Collections.Generic.Dictionary2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].TryGetValue(System.__Canon, System.__Canon ByRef) 0e67e52c 0d4cafdb Microsoft.Owin.Host.HttpListener.RequestProcessing.CallEnvironment.TryGetValue(System.String, System.Object ByRef) 0e67e540 0d5a3acc System.Collections.Generic.DictionaryExtensions.TryGetValue[[System.__Canon, mscorlib]](System.Collections.Generic.IDictionary2, System.String, System.__Canon ByRef)
0e67e55c 0d5a3a54 System.Web.Http.Owin.OwinRequestExtensions.DisableBuffering(Microsoft.Owin.IOwinRequest)
0e67e56c 0d5a2a97 System.Web.Http.Owin.HttpMessageHandlerAdapter+d__0.MoveNext()
0e67e5fc 0d5a1def System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[System.Web.Http.Owin.HttpMessageHandlerAdapter+d__0, System.Web.Http.Owin]](d__0 ByRef)
0e67e654 0d5a1c19 System.Web.Http.Owin.HttpMessageHandlerAdapter.InvokeCore(Microsoft.Owin.IOwinContext, Microsoft.Owin.IOwinRequest, Microsoft.Owin.IOwinResponse)
0e67e6cc 0d5a18e2 System.Web.Http.Owin.HttpMessageHandlerAdapter.Invoke(Microsoft.Owin.IOwinContext)
0e67e6e0 0d4cc777 Microsoft.Owin.Infrastructure.OwinMiddlewareTransition.Invoke(System.Collections.Generic.IDictionary2) 0e67e6f4 0d54e833 SqueezeMe.CompressionStrategies.DirectCompressionStrategy+d__0.MoveNext() 0e67e788 73f6cf7f System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[System.__Canon, mscorlib]](System.__Canon ByRef) 0e67e7e4 73fe48cd System.Runtime.CompilerServices.AsyncTaskMethodBuilder1[[System.Threading.Tasks.VoidTaskResult, mscorlib]].Start[[System.__Canon, mscorlib]](System.__Canon ByRef)
0e67e800 73f7030f System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[System.__Canon, mscorlib]](System.__Canon ByRef)
0e67e818 0d54e4c8 SqueezeMe.CompressionStrategies.DirectCompressionStrategy.Compress(System.Func2,System.Threading.Tasks.Task>, Microsoft.Owin.OwinContext, SqueezeMe.ICompressor, System.IO.Stream) 0e67e864 0d54bfcc SqueezeMe.CompressionMiddleware+d__5.MoveNext() 0e67e8ec 73f6cf7f System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[System.__Canon, mscorlib]](System.__Canon ByRef) 0e67e948 73fe48cd System.Runtime.CompilerServices.AsyncTaskMethodBuilder1[[System.Threading.Tasks.VoidTaskResult, mscorlib]].Start[[System.__Canon, mscorlib]](System.__Canon ByRef)
0e67e964 73f7030f System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[System.__Canon, mscorlib]](System.__Canon ByRef)
0e67e97c 0d54bd56 SqueezeMe.CompressionMiddleware.Invoke(System.Collections.Generic.IDictionary2) 0e67e9bc 0d4ce3c7 Microsoft.Owin.Infrastructure.AppFuncTransition.Invoke(Microsoft.Owin.IOwinContext) 0e67e9c8 0d549222 Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]].MoveNext()
0e67ea00 737f8de3 System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.InvokeMoveNext(System.Object)
0e67ea08 737d0d07 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
0e67ea74 737d0c56 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
0e67ea88 737f493f System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.Run()
0e67eab8 737f8d33 System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction(System.Action, Boolean, System.Threading.Tasks.Task ByRef)
0e67eae4 737c01f6 System.Threading.Tasks.Task.FinishContinuations()
0e67eb30 737bff08 System.Threading.Tasks.Task.FinishStageThree()
0e67eb3c 737f3950 System.Threading.Tasks.Task1[[System.Boolean, mscorlib]].TrySetResult(Boolean) 0e67eb4c 737f38d1 System.Runtime.CompilerServices.AsyncTaskMethodBuilder1[[System.Boolean, mscorlib]].SetResult(Boolean)
0e67eb64 0d549e32 WebAstra.Shared.Rest.RestAuthenticationHandler+d__1.MoveNext()
0e67eb94 737f8de3 System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.InvokeMoveNext(System.Object)
0e67eb9c 737d0d07 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
0e67ec08 737d0c56 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
0e67ec1c 737f493f System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.Run()
0e67ec4c 737f8d33 System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction(System.Action, Boolean, System.Threading.Tasks.Task ByRef)
0e67ec78 737c01f6 System.Threading.Tasks.Task.FinishContinuations()
0e67ecc4 737bff08 System.Threading.Tasks.Task.FinishStageThree()
0e67ecd0 737f51bb System.Threading.Tasks.Task.FinishStageTwo()
0e67ecf8 737f5070 System.Threading.Tasks.Task.Finish(Boolean)
0e67ed24 737f4bbd System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef)
0e67ed88 737f4ac3 System.Threading.Tasks.Task.ExecuteEntry(Boolean)
0e67ed98 737f4a0f System.Threading.Tasks.Task.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
0e67ed9c 73795269 System.Threading.ThreadPoolWorkQueue.Dispatch()
0e67edec 73795115 System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()
0e67f010 745d2372 [DebuggerU2MCatchHandlerFrame: 0e67f010]
0e67f07c 745d2372 [ContextTransitionFrame: 0e67f07c]
0e67f204 745d2372 [DebuggerU2MCatchHandlerFrame: 0e67f204]
0:041> ~43s
eax=00000000 ebx=766688d0 ecx=00000000 edx=00000000 esi=00000000 edi=00000504
eip=7761c27c esp=0f12e9b8 ebp=0f12ea28 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!NtWaitForSingleObject+0xc:
7761c27c c20c00 ret 0Ch
0:043> !CLRStack
OS Thread Id: 0x1f60 (43)
Child SP IP Call Site
GetFrameContext failed: 1
00000000 00000000
0:043> ~44s
eax=00000000 ebx=766688d0 ecx=00000000 edx=00000000 esi=00000000 edi=00000504
eip=7761c27c esp=0b02f858 ebp=0b02f8c8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtWaitForSingleObject+0xc:
7761c27c c20c00 ret 0Ch
0:044> !CLRStack
OS Thread Id: 0x1c90 (44)
Child SP IP Call Site
GetFrameContext failed: 1
00000000 00000000
0:044> ~39s
eax=00000000 ebx=02a90fd8 ecx=00000003 edx=127ede24 esi=02eb57c0 edi=02eb5aa0
eip=737e6ea3 esp=08ace090 ebp=08ace0b4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mscorlib_ni+0x366ea3:
737e6ea3 8b7e08 mov edi,dword ptr [esi+8] ds:002b:02eb57c8=02eb5aa0
0:039> !CLRStack
OS Thread Id: 0x1d44 (39)
Child SP IP Call Site
08ace090 737e6ea3 System.Collections.Generic.Dictionary2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].Insert(System.__Canon, System.__Canon, Boolean) 08ace0c4 737d9beb System.Collections.Generic.Dictionary2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].set_Item(System.__Canon, System.__Canon)
08ace0cc 0d4cb95f Microsoft.Owin.Host.HttpListener.RequestProcessing.CallEnvironment.set_Item(System.String, System.Object)
08ace0e0 0d5499a0 Microsoft.Owin.OwinRequest.Set[[System.__Canon, mscorlib]](System.String, System.__Canon)
08ace0f8 0d54995f Microsoft.Owin.Security.Infrastructure.OwinRequestExtensions.RegisterAuthenticationHandler(Microsoft.Owin.IOwinRequest, Microsoft.Owin.Security.Infrastructure.AuthenticationHandler)
08ace114 0d549632 Microsoft.Owin.Security.Infrastructure.AuthenticationHandler+d__0.MoveNext()
08ace14c 0d54952f System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.Owin.Security.Infrastructure.AuthenticationHandler+d__0, Microsoft.Owin.Security]](d__0 ByRef)
08ace1a4 0d5494c3 Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.BaseInitializeAsync(Microsoft.Owin.Security.AuthenticationOptions, Microsoft.Owin.IOwinContext)
08ace1fc 0d549437 Microsoft.Owin.Security.Infrastructure.AuthenticationHandler1[[System.__Canon, mscorlib]].Initialize(System.__Canon, Microsoft.Owin.IOwinContext) 08ace208 0d549093 Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]].MoveNext()
08ace240 0d548fe3 System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]], Microsoft.Owin.Security]](d__0 ByRef) 08ace2a0 0d548f66 System.Runtime.CompilerServices.AsyncTaskMethodBuilder1[[System.Threading.Tasks.VoidTaskResult, mscorlib]].Start[[Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]], Microsoft.Owin.Security]](d__0 ByRef) 08ace2bc 0d548f0c System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1+d__0[[System.__Canon, mscorlib]], Microsoft.Owin.Security]](d__0 ByRef)
08ace2d4 0d548eb1 Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1[[System.__Canon, mscorlib]].Invoke(Microsoft.Owin.IOwinContext) 08ace328 0d4cc777 Microsoft.Owin.Infrastructure.OwinMiddlewareTransition.Invoke(System.Collections.Generic.IDictionary2)
08ace33c 0d548c87 Microsoft.Owin.Mapping.MapMiddleware+d__0.MoveNext()
08ace384 0d548a5f System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.Owin.Mapping.MapMiddleware+d__0, Microsoft.Owin]](d__0 ByRef)
08ace3dc 0d5489f5 Microsoft.Owin.Mapping.MapMiddleware.Invoke(System.Collections.Generic.IDictionary2) 08ace434 0d54896d Microsoft.Owin.Cors.CorsMiddleware.HandleCorsRequestAsync(Microsoft.Owin.IOwinContext, System.Web.Cors.CorsPolicy, System.Web.Cors.CorsRequestContext) 08ace450 0d4ced52 Microsoft.Owin.Cors.CorsMiddleware+d__0.MoveNext() 08ace488 0d4ce697 System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.Owin.Cors.CorsMiddleware+d__0, Microsoft.Owin.Cors]](d__0 ByRef) 08ace4e0 0d4ce495 Microsoft.Owin.Cors.CorsMiddleware.Invoke(System.Collections.Generic.IDictionary2)
08ace538 0d4ce3c7 Microsoft.Owin.Infrastructure.AppFuncTransition.Invoke(Microsoft.Owin.IOwinContext)
08ace544 0d4cdc34 WebAstra.Shared.Rest.RestPreProcessor+d__6.MoveNext()
08ace574 737f8de3 System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.InvokeMoveNext(System.Object)
08ace57c 737d0d07 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
08ace5e8 737d0c56 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
08ace5fc 737f493f System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.Run()
08ace62c 737f8d33 System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction(System.Action, Boolean, System.Threading.Tasks.Task ByRef)
08ace658 737c01f6 System.Threading.Tasks.Task.FinishContinuations()
08ace6a4 737bff08 System.Threading.Tasks.Task.FinishStageThree()
08ace6b0 737f51bb System.Threading.Tasks.Task.FinishStageTwo()
08ace6d8 737f5070 System.Threading.Tasks.Task.Finish(Boolean)
08ace704 737f4bbd System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef)
08ace768 737f4ac3 System.Threading.Tasks.Task.ExecuteEntry(Boolean)
08ace778 737f4a0f System.Threading.Tasks.Task.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
08ace77c 73795269 System.Threading.ThreadPoolWorkQueue.Dispatch()
08ace7cc 73795115 System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()
08ace9f0 745d2372 [DebuggerU2MCatchHandlerFrame: 08ace9f0]
08acea5c 745d2372 [ContextTransitionFrame: 08acea5c]
08acebe4 745d2372 [DebuggerU2MCatchHandlerFrame: 08acebe4]

Any quick help will save my life...

Remove pinned twitter certs

Twitter keeps changing the certificate they use for api.twitter.com requests. These certs are pinned by the middleware, so it breaks. Remove the pinning.

https://katanaproject.codeplex.com/workitem/427

OAuth authentication in Asp.Net MVC 4.5

Hi,
I have an ASP.NET MVC web application running on .NET Framework 4.5. I want my application to be able to use OAuth protocol of Linkedin to allow a user to authenticate into the application using Linkedin identity.

I am not able to find any Owin module for implementing this. I could only find app.UseOAuthAuthorizarionServer and app.UseOAuthBearerAuthentication. The first one is for implementing an authorization server and the second is for verifying the Bearer token present in the header in order to secure a service such as a Web API. There is another module app.UseOauthAuthentication, but that only works in ASP.NET Core project, and not ASP.NET 4.5.
Is there any way using which I can get Linkedin OAuth flow to work in ASP.Net 4.5 project, or will I have to migrate my project to ASP.NET Core ?

Update Google Oauth2 endpoints

Update nightly symbol publishing destination

Nightly packages have moved to https://dotnet.myget.org/f/katana-dev/

But symbol packages are still publishing to 'https://nuget.symbolsource.org/MyGet/aspnetwebstacknightly'

Is this a problem?

DualWriter seems to have concurrency issues

By default, OWIN hooks itself into the system logging in order to be helpful and catch all sorts of logging. However, because of this and some deficiencies of DualWriter, Owin is in the stacktrace of a lot of errors. And it seems to be actually causing some of them.

For my own project, in a high-volume environment, I'm getting the following stack trace in the event log (names sanitized):

Application: App.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IndexOutOfRangeException
   at System.Buffer.InternalBlockCopy(System.Array, Int32, System.Array, Int32, Int32)
   at System.IO.StreamWriter.Write(Char[], Int32, Int32)
   at System.IO.TextWriter+SyncTextWriter.Write(Char[], Int32, Int32)
   at Microsoft.Owin.Hosting.Tracing.DualWriter.Write(Char[], Int32, Int32)
   at System.IO.TextWriter.WriteLine(System.String)
   at System.Diagnostics.TextWriterTraceListener.WriteLine(System.String)
   at System.Diagnostics.TraceInternal.WriteLine(System.String)
   at System.Diagnostics.Trace.WriteLine(System.String)
   at SharedLibrary.ExampleUserObject.Cleanup()

I don't think it's necessary, but, just in case, the related Nuget packages I've got for this:

Microsoft.AspNet.WebApi.Owin @ v5.2.3
Microsoft.AspNet.WebApi.OwinSelfHost @ v5.2.3
Microsoft.Owin @ v3.0.1
Microsoft.Owin.Host.HttpListener @ v3.0.1
Microsoft.Owin.Hosting @ v3.0.1
Owin @ v1.0.0

The code that causes this is a call to Trace.WriteLine() in SharedLibrary.ExampleUserObject.Cleanup(), and everything else in the stacktrace is core .NET code, except for OWIN. A call to Trace.WriteLine() is certainly not a line of code you'd expect to be wrapping in a try/catch. It doesn't occur with a single call - only under heavy-ish concurrent load. I checked the commits in the master branch since 3.0.1 before submitting this issue, and they don't seem to touch files related to DualWriter. So I think it's still relevant.

It's important to note, though, that this error with the exact stack trace occurred in two different kinds of environments: ones that were actually using the OWIN features, and ones that weren't. It's a system that has multiple different transports for incoming messages, with a self-hosted OWIN being one of them. OWIN was loaded in both environments, but this error was still occurring even when coming from other transports. I first dealt with this by removing my calls to Trace.WriteLine() inside SharedLibrary.ExampleUserObject, but that's not always an option. Especially if you're using a Nuget package or any other library you don't directly control. Eventually I settled on removing the listeners myself.

In fact, we can see a couple examples of this problem on the internet. Here's an error on StackOverflow where the user encountered this with LogEntries and mistakenly filed an issue on that project. Here's another SO question where the user gets these errors when running queries. And here's another SO question where the user complains about it interfering with his logging via Log4net. The answer on that question was pretty helpful about where to look.

Considering that this seems to be default behavior, I think DualWriter could use a bit of scrutiny. Especially in scenarios where it's not the only code to interact with System.Diagnostics. Nothing that can insert itself into the call path of .NET internals should have a design that allows for this to happen. It's a bit of an unpleasant surprise to reference a library and encounter this.

Remove obsolete UseGoogleAuthentication

Google deprecated OpenId in favor of OAuth2. The old provider doesn't work anymore.
https://developers.google.com/identity/sign-in/auth-migration#timetable

Katana currently has OpenId and OAuth2 implementations. Remove the obsolete extension, handler, and options. Would it be worth renaming GoogleOAuth2AuthenticationOptions back to GoogleAuthenticationOptions? ASP.NET Core did.

https://katanaproject.codeplex.com/workitem/487

Change source code and repo license info to .NET Foundation

Change all the .CS files and any other license files in the repo to be the same as ASP.NET Core.

See aspnet/AspNetWebStack#2.

Also, while we're at it, remove the bizarre DISCLAIMER.txt from the repo.

SystemWebCookieManager issue

There is a wiki page System.Web response cookie integration issues that proposes to use SystemWebCookieManager as a workaround. However, SystemWebCookieManager has a major issue.

How to reproduce the issue:

On dev machine setup any timezone between UTC +1 and +12
Setup cookie authentication and specify ExpireTimeSpan for the CookieAuthenticationOptions to 10 minutes
Try to sign in with persistent cookie

The actual result: server makes a response with already expired authentication cookie.

For example, if you are in UTC +2 timezone and it's 12:00 on your machine, then you will receive .AspNet.Cookie cookie with Expires equal to 8:10, instead of 10:10

Why it happens:
In the CookieAuthenticationHandler.ApplyResponseGrantAsync method there is the following code:

if (signInContext.Properties.IsPersistent)
{
  DateTimeOffset expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.ExpireTimeSpan);
  signInContext.CookieOptions.Expires = expiresUtc.ToUniversalTime().DateTime;
}

Even though, expiresUtc is a UTC time, the result of expiresUtc.ToUniversalTime().DateTime returns DateTime with Kind equals to DateTimeKind.Unspecified. That's why Expires is converted to UTC twice.

In order fix it, SystemWebCookieManager need to be updated. Instead of

cookie.Expires = options.Expires.Value;

there must be

cookie.Expires = DateTime.SpecifyKind(options.Expires.Value, DateTimeKind.Utc);

Disposal of OwinContext.Request.User.Identity

It would be nice to have OwinContext.Request.User.Identity disposed upon completion of each request. It was causing handle leak for me and for now I'm disposing it manually.

JwtFormat ignores TokenValidationParameters.ValidIssuer

Hi,

In the Unprotect method of the JwtFormat class, it only validates against the IEnumerable ValidIssuers and ignores ValidIssuer. Shouldn't it concatenate it to the list of ValidIssuers before validating? Maybe it's by design?

TokenValidationParameters validationParameters = _validationParameters;
if (_issuerCredentialProviders != null)
{
    // Lazy augment with issuers and tokens. Note these may be refreshed periodically.
    validationParameters = validationParameters.Clone();

    IEnumerable<string> issuers = _issuerCredentialProviders.Select(provider => provider.Issuer);
    if (validationParameters.ValidIssuers == null)
    {
        validationParameters.ValidIssuers = issuers;
    }
    else
    {
        validationParameters.ValidIssuers = validationParameters.ValidIssuers.Concat(issuers);
    }

Project url points to codeplex

Update nuget Project-url to reflect move to github, and codeplex shutdown
https://www.nuget.org/packages/Microsoft.Owin.Security/3.0.1

Owin : Unauthorised webapi call returning login page rather than 401

In my mvc application, i've configured OpenIdConnect and CookieAuthentication middlewares.

When i trigger web api call from ajax, the web api, depending on the inputs data, returns Unauthorized code, the problem is that the request is captured and transformed to 302 to display the login page !

[Announcement] Facebook 3.0.1 and lower no longer work

Facebook as deprecated their old OAuth endpoints that were used by Katana 3.0.1 and lower.
Here's a Fiddler trace of a failing auth flow:

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom	
1191	302	HTTPS	localhost:44318	/Account/ExternalLogin	0	private		chrome:16236			
1202	302	HTTPS	www.facebook.com	/dialog/oauth?response_type=code&client_id=569522623154478&redirect_uri=https%3A%2F%2Flocalhost%3A44318%2Fsignin-facebook&scope=&state=gQ2fRAt8BI46eC52Z_YdSFMCYbBleCGJO5Jl1BO4yQQFl0dVjx-Z0EqMS6QGNfIHD6n7fApnqdodg6ea4E7Ky9rsnExnoW22a7mV7uYAnj089d3yKm6TN4F2YoFgeVPZPakdddB_D-b8988omDTjeQPHrfSVNFqqATAsvab15PHkSaCuk5OqWZRJUnkKtfanM2uA9E8PH4_JrNrLc4DZyd0tRfGr0C3aHUkPJMUiEq0	0	private, no-cache, no-store, must-revalidate; Expires: Sat, 01 Jan 2000 00:00:00 GMT	text/html	chrome:16236			
1203	302	HTTPS	localhost:44318	/signin-facebook?code=AQDQ5k6PZ623JZqcDBHkeK6-uryTkyuKZWGD5Hk_rcLV2sYArbQKJE-d-WIvHGikif_5VtclZojZUInsOmV_KEYUYD9jL3Gn0qKKzdk6574_Ya8IoAVPpvm9hsHZ50bKAxItn01fTW54hhGRxUFpX4yCLqXrLtVgImctDxM73XGTEq7poHN7nglEcU0TjFKImpc4Pu-FkkrQXoDGrD4Xeig4NCJHzvJcw8Oc8iJIBCJDSESi6Y2U5Y2Gsy4WntIkRnhCPqh3p--h_2LFqbRcjpx9KYrvPqhW9sr5eShwY1JJ8fVlKzBQmmQbgf0IvTcbckLnxJOPCsIyIFCs5xNf9AH4&state=gQ2fRAt8BI46eC52Z_YdSFMCYbBleCGJO5Jl1BO4yQQFl0dVjx-Z0EqMS6QGNfIHD6n7fApnqdodg6ea4E7Ky9rsnExnoW22a7mV7uYAnj089d3yKm6TN4F2YoFgeVPZPakdddB_D-b8988omDTjeQPHrfSVNFqqATAsvab15PHkSaCuk5OqWZRJUnkKtfanM2uA9E8PH4_JrNrLc4DZyd0tRfGr0C3aHUkPJMUiEq0	0			chrome:16236			
1205	200	HTTPS	graph.facebook.com	/oauth/access_token?grant_type=authorization_code&code=AQDQ5k6PZ623JZqcDBHkeK6-uryTkyuKZWGD5Hk_rcLV2sYArbQKJE-d-WIvHGikif_5VtclZojZUInsOmV_KEYUYD9jL3Gn0qKKzdk6574_Ya8IoAVPpvm9hsHZ50bKAxItn01fTW54hhGRxUFpX4yCLqXrLtVgImctDxM73XGTEq7poHN7nglEcU0TjFKImpc4Pu-FkkrQXoDGrD4Xeig4NCJHzvJcw8Oc8iJIBCJDSESi6Y2U5Y2Gsy4WntIkRnhCPqh3p--h_2LFqbRcjpx9KYrvPqhW9sr5eShwY1JJ8fVlKzBQmmQbgf0IvTcbckLnxJOPCsIyIFCs5xNf9AH4&redirect_uri=https%3A%2F%2Flocalhost%3A44318%2Fsignin-facebook&client_id=xxxxx&client_secret=xxxxxxxx	251	private, no-cache, no-store, must-revalidate; Expires: Sat, 01 Jan 2000 00:00:00 GMT	application/json; charset=UTF-8	iisexpress:1144			
1206	302	HTTPS	localhost:44318	/Account/ExternalLoginCallback?error=access_denied	442	private	text/html; charset=utf-8	chrome:16236			
1207	200	HTTPS	localhost:44318	/Account/Login	2,134	private	text/html; charset=utf-8	chrome:16236

Note the /Account/ExternalLoginCallback?error=access_denied request.

If you enable logging here's the message (caused by a change in Facebook's response format):
https://github.com/aspnet/AspNetKatana/wiki/Debugging#logging

Microsoft.Owin.Security.Facebook.FacebookAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: stringToEscape
   at System.Uri.EscapeDataString(String stringToEscape)
   at Microsoft.Owin.Security.Facebook.FacebookAuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()
    ProcessId=1144
    DateTime=2017-03-27T20:53:38.6034000Z

This has been fixed in Katana 3.1.0-RC1 which is now available on nuget.org.

Is it possible to add WsFederationAuthenticationOptions at runtime?

I've been trying to add WsFederationAuthenticationOptions at runtime, letting site administrators adding trusts to external IP's.

app.Map("/Account", configuration =>
{
    var option= new WsFederationAuthenticationOptions
    {
        AuthenticationType = organizationModel.ADFS_Domain,
        MetadataAddress = organizationModel.ADFS_MetadataAddress,
        BackchannelCertificateValidator = null,
        Wtrealm = organizationModel.ADFS_Realm,
        Wreply = serveraddress + "/Account/ExternalLoginCallback/"+ wsFederationSetting.providerName,
    };

     configuration.UseWsFederationAuthentication(option);

});

But calling HttpContext.GetOwinContext().Authentication.GetExternalAuthenticationTypes() does not include the new option, hence the owinCtx.Authentication.Challenge will fail...

The code above is working from my startup class, but not at runtime. AndI don't want to have to restart the application just to add an Identity Provider...

Microsoft account with MicrosoftAccountAuthenticationOptions does not seem to work

I understand Microsoft updated their APIs recently, I created a new app at https://apps.dev.microsoft.com

Application Id: 388e0946-5fa0-4143-8e7a-97141200f6a6
Password: obu****************************

Platforms: Web
Allow Implicit Flow: YES
Redirect URIs:
https://localhost:44300/ signin-microsoft
https://ufotoday.com/ signin-microsoft

Microsoft Graph Permissions: User.Read
Application Permissions: Profile

I did not use "generate new key pair" (not sure what is it for)

I know that before it was not possible to test on localhost, this is tested live on UFOToday.com, but I keep getting "access denied",

response_type=code seems suspicious, I would think code maybe replaced with something else (not sure) see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-permissions

I noticed that the name of the scope changed from wl.emails wl.birthday, so I'm just trying with what I saw in the example code "openid email profile" (otherwise it's breaking)

My code:

// https://account.live.com/developers/applications
// https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins

var microsoftAuthOptions = new MicrosoftAccountAuthenticationOptions();
microsoftAuthOptions.ClientId = currentPortalProviders.MicrosoftLiveClientId;
microsoftAuthOptions.ClientSecret = currentPortalProviders.MicrosoftLiveClientSecret;
microsoftAuthOptions.CallbackPath = new PathString("/signin-microsoft");

// See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
microsoftAuthOptions.Scope.Add("openid");
microsoftAuthOptions.Scope.Add("email");
microsoftAuthOptions.Scope.Add("profile");

microsoftAuthOptions.Provider = new MicrosoftAccountAuthenticationProvider()
{
    OnAuthenticated = (context) =>
    {
        context.Identity.AddClaim(new Claim("urn:microsoft:access_token", context.AccessToken));

        var expiryDuration = context.ExpiresIn ?? new TimeSpan();
        context.Identity.AddClaim(new Claim("urn:microsoft:expires_in", DateTime.UtcNow.Add(expiryDuration).ToString(CultureInfo.InvariantCulture)));

        if (context.Email != null) context.Identity.AddClaim(new Claim("urn:microsoft:email", context.Email));
        if (context.Id != null) context.Identity.AddClaim(new Claim("urn:microsoft:id", context.Id));
        if (context.Name != null) context.Identity.AddClaim(new Claim("urn:microsoft:name", context.Name));
        if (context.FirstName != null) context.Identity.AddClaim(new Claim("urn:microsoft:first_name", context.FirstName));
        if (context.LastName != null) context.Identity.AddClaim(new Claim("urn:microsoft:last_name", context.LastName));

        // Add all other available claims
        foreach (var claim in context.User)
        {
            var claimType = string.Format("urn:microsoft:{0}", claim.Key);
            var claimValue = claim.Value.ToString();
            if (!context.Identity.HasClaim(claimType, claimValue))
                context.Identity.AddClaim(new Claim(claimType, claimValue, "XmlSchemaString", "Microsoft"));
        }

        return Task.FromResult(0);
    }
};
app.UseMicrosoftAccountAuthentication(microsoftAuthOptions);

This is what I'm getting:

Request URL:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=388e0946-5fa0-4143-8e7a-97141200f6a6&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fufotoday.com%2F signin-microsoft &state=-LhKxD2fwHXxpUcr5oJWrQdXxe-mOJoKhW0U4UJZE6C7y8ALp5XHyz5OgDp8EDeIoVg4jLis-bayiQ-kU0GctuaGMT3ltbNPI7oRFdB_KhExHeLsy3a3WSLOUIOKDmq8exIxuc5nzgOCyHuLxoMvdZVk7DpsQ7Pc2BGiJKJ_GpBMXtlALCtsn7BHfVrT9IjlBLe0I0z66XS_XUub4W4OYA
Request Method:GET
Status Code:200 OK
Remote Address:23.100.32.136:443
Referrer Policy:no-referrer-when-downgrade

Request URL:https://login.live.com/oauth20_authorize.srf?client_id=388e0946-5fa0-4143-8e7a-97141200f6a6&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fufotoday.com%2F signin-microsoft &state=-LhKxD2fwHXxpUcr5oJWrQdXxe-mOJoKhW0U4UJZE6C7y8ALp5XHyz5OgDp8EDeIoVg4jLis-bayiQ-kU0GctuaGMT3ltbNPI7oRFdB_KhExHeLsy3a3WSLOUIOKDmq8exIxuc5nzgOCyHuLxoMvdZVk7DpsQ7Pc2BGiJKJ_GpBMXtlALCtsn7BHfVrT9IjlBLe0I0z66XS_XUub4W4OYA&login_hint=yovavgad%40gmail.com&ui_locales=en-US&display=page&uaid=aedea0ead6e94294a42ad04754ced973&issuer=mso&tenant=common&msproxy=1
Request Method:GET
Status Code:302 Found
Remote Address:131.253.61.96:443
Referrer Policy:no-referrer-when-downgrade

Request URL:https://ufotoday.com/ signin-microsoft ?code=Mde1a1f82-19ea-afb6-faed-6492578ef127&state=-LhKxD2fwHXxpUcr5oJWrQdXxe-mOJoKhW0U4UJZE6C7y8ALp5XHyz5OgDp8EDeIoVg4jLis-bayiQ-kU0GctuaGMT3ltbNPI7oRFdB_KhExHeLsy3a3WSLOUIOKDmq8exIxuc5nzgOCyHuLxoMvdZVk7DpsQ7Pc2BGiJKJ_GpBMXtlALCtsn7BHfVrT9IjlBLe0I0z66XS_XUub4W4OYA
Request Method:GET
Status Code:302
Remote Address:52.183.33.89:443
Referrer Policy:no-referrer-when-downgrade

Request URL:https://ufotoday.com/signup-connect?error=access_denied
Request Method:GET
Status Code:302
Remote Address:52.183.33.89:443
Referrer Policy:no-referrer-when-downgrade

Does it work for anyone else?

HttpRequestException on sending response

I use Swashbuckle to expose HTTP API in my service (self-hosted web application). From time to time I see in log errors like this:

2017-05-25 16:19:41 [17] ERROR - Unhandled exception. Request details: 
Method: POST, RequestUri: 'http://localhost:8082/extract-info', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
  Connection: close
  Accept: application/json
  Accept-Encoding: gzip
  Accept-Encoding: deflate
  Host: localhost:8082
  User-Agent: Python-urllib/3.5
  Content-Length: 3980
  Content-Type: application/json
}
System.Net.Http.HttpRequestException: Error while copying content to a stream. ---> System.IO.IOException ---> System.Net.HttpListenerException: The I/O operation has been aborted because of either a thread exit or an application request
   at System.Net.HttpResponseStream.EndWrite(IAsyncResult asyncResult)
   at Microsoft.Owin.Host.HttpListener.RequestProcessing.ExceptionFilterStream.EndWrite(IAsyncResult asyncResult)
   --- End of inner exception stack trace ---
   at Microsoft.Owin.Host.HttpListener.RequestProcessing.ExceptionFilterStream.EndWrite(IAsyncResult asyncResult)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
   --- End of inner exception stack trace ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Owin.HttpMessageHandlerAdapter.<SendResponseContentAsync>d__20.MoveNext()

It reports that IO operation was aborted, altough client receives response completely and does not notice any problems.

I am posting the issue here because Swashbuckle uses Owin under its hood and stack trace points to Owin's code.

Initially I came across this issue on a slow machine and was unable to reproduce it on my computer. Then I ran a program which uses 100% CPU (any CPU performance test would do) and managed to reproduce it on my machine. I assume it can be some a kind of race conditions.

I don't think the details of my code are really helpful here because I managed to reproduce this error in extremely easy console application.

namespace My
{
  public class MyController : ApiController
  {
    [Route("extract-info")]
    [HttpPost]
    public ResultType ExtractInfo([FromBody] InputType inputData, bool option = false)
    {
      Thread.Sleep(rnd.Next(1000, 5000)); // Simulate processing.
      return GenerateResultType();  // Generate random/constant data.
    }
  }
}

The ResultType is a C# class, instances of this class are serialized to JSON like this:

{
  "list": [
    {
      "a": "Some text",
      "b": 12759966,
      "c": false,
      "d": true,
      "e": "ORG",
      "f": 5,
      "g": 6,
      "h": -1000.5,
      "i": false
    },
    ...
  ],
  "dict1": {
    "802474": 1.1,
    "4005": 0.293677663774,
    ...
  },
  "dict2": {
    "1141": 0.8998012898171055,
    "24005": 0.993677663774,
    ...
  }
}

The client (located on the same machine) makes requests from 10 parallel threads, each thread issues requests continiously one after another. The size of request data is 1-10KB, the size of returned data is 150-300KB. Due to Sleep() in request processing method the total throughput is not so high, about 3-4 requests per second.

Does anybody have any ideas about these exceptions?

Set LangVersion 5 in projects to prevent use of incompatible language features

b2b299d#commitcomment-22034669

Katana uses some old build tools that do not support C#6+. Set <LangVersion>5</LangVersion> in Common.targets to prevent the use of these new language features.

Update facebook provider

Facebook (Graph) API 2.4 made some breaking changes to their request formats and flow.
https://katanaproject.codeplex.com/workitem/417

Update project to net451

This will be required for the IdentityModel update. #7

Websockets on Windows 7

Does Katana support websockets for Windows 7?
Otherwise, will you add support in the future?
Thx

Deadlock via thread pool exhaustion

UseActiveDirectoryFederationServicesBearerAuthentication and UseWindowsAzureActiveDirectoryBearerAuthentication both use WsFedCachingSecurityTokenProvider to download their metadata. WsFedCachingSecurityTokenProvider has read locks around Issuer and SecurityTokens, and a write lock for RetrieveMetadata. These locks are all synchronous and it calls into HttpClient and blocks, which fires off a background work item to send the request.

As OwinHttpListener receives requests it queues each one to the thread pool. When the global lock is taken then all of these requests start blocking thread pool threads and new threads cannot be injected fast enough. This may starve the metadata HttpClient and prevent it from sending the request in a timely fashion. Eventually it will time out, but the next request to get through the lock may encounter the same problem. This can bring the app to a complete halt.

Remove dependency on Owin.dll and merge in IAppBuilder

Hi Chris,

Good to see this project moved to github :)

As we know Owin.dll had its controversy... As a major release allows breaking changes, I suggest merging in IAppBuilder into Microsoft.Owin.dll. The namespace Owin. could be retained within the lib to minimise changes to libraries that depend on Microsoft.Owin.

Cheers

Non form_post server response

I understand that by default this version of OIDC middleware (.net 4.5.1) assumes the response_mode is form post which has worked well for us with Azure. We are now being asked to integrate with another OIDC authorization server that supports hybrid flow, however the server's response to a hybrid flow OIDC request is always with a encoded url fragment. Per Dominic's post, this does appear to be a valid type of response in a hybrid flow:
https://leastprivilege.com/2014/10/10/openid-connect-hybrid-flow-and-identityserver-v3/

I have looked around but wasn't able to find anything that describes this type of response and how to handle it? Is there a way to support this type of response in OIDC middleware?

Getting Intermittent Invalid Redirect_uri while using MSA with AAD Convergence

On providing the userid (Live/Outlook/Hotmail) we are being redirected to

https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application[.....]

which is basically error page.

On monitoring with fiddler we observe that in these cases the redirect_uri parameter is having space appended at the start.

GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=XXXXXXXXXXXXXXXXXXXX&redirect_uri=%e2%80%8e%e2%80%8ehttps%3a%2f%2flocalhost%2fAzureAD.TestWebClient&response_mode=form_post&[...]

This extra characters are getting added intermittently, while we are assigning this property in StartUp ,there is no space characters.

Please help in figuring out where these space characters are getting appended from, or redirect to relevant forums.

Thanks in advance

"No owin.Environment item was found in the context" in webapp when GAC "Microsoft.Owin.Host.SystemWeb.dll"

My web application work correctly when run with Microsoft.Owin.Host.SystemWeb.dll in local bin folder (private dll). But when I need to GAC this dll to Global Assembly Cache, web application show "No owin.Environment item was found in the context" error when I call HTTPContext.GetOwinContext() method.

Note: I used fuslogvw.exe to check dll binding when web application startup. Difference is that for private dll, when web application startup, it load Microsoft.Owin.Host.SystemWeb.dll immediately, but GAC does not.

And I use Microsoft.Owin.Host.SystemWeb.dll version 3.0.0.

Please advice me how to fix it if I need to GAC this dll.

Thanks,
Anucha T.

Propogate ExecutionContext when run in IIS

Moving bug from the codeplex as it is still an issue for us with no easy solution.

If you develop OWIN middleware for monitoring you need to use ThreadAsync or CallContext to keep the context across the async/await. And it is working fine. However if you try to use the same middleware when hosting your application in IIS - it doesn't propagate the context any longer.

Even better if there will be a possibility to set the context from HttModule's Begin callback that will be preserved to the controller execution.

The MSDN API points to an empty page

On the WIKI page, the MSDN links to a page with only the following line:

The topics in this section describe the public namespaces, classes, and interfaces that support Microsoft OWIN components.

How can people learn the API from this sentence?

Twitter Login hang up (in IdentityServer3)

Hi,

In our solution we use Microsoft.Owin.Security.Twitter for external authentification. If you click the Twitter-Button for the external authentification the application will freeze. A redirect to Twitter is expected.
If you comment out EnableHttpLogging = true (see code), it will work.

I think, it's a deadlock. Please make it robust.

Thanks,
Steffen

Additional information:

Facebook works.
last log entry: "ObtainRequestToken"
hang up here (debug):
HttpResponseMessage response = await _httpClient.SendAsync(request, Request.CallCancelled);
in
private async Task ObtainRequestTokenAsync(string consumerKey, string consumerSecret, string callBackUri, AuthenticationProperties properties)
in
class TwitterAuthenticationHandler
tested versions: 3.0.1 and 3.1.0

Code (Startup):

public void Configuration(IAppBuilder app)
{
	// …
	app.Map("/identity", idsrvApp =>
	{
		// …
		AuthenticationOptions = IdentityServer3.Core.Configuration.AuthenticationOptions
		{
			EnablePostSignOutAutoRedirect = true,
			IdentityProviders = ConfigureIdentityProviders,
		},
		IdentityServerOptions identityServerOptions = new IdentityServerOptions 
		{
			LoggingOptions = new LoggingOptions()
				{
					EnableHttpLogging = true, // PROBLEM
					// …
				},
			AuthenticationOptions = IdentityServer3.Core.Configuration.AuthenticationOptions
			{
				EnablePostSignOutAutoRedirect = true,
				IdentityProviders = ConfigureIdentityProviders,
			},
			// …
		}
	}
}

private void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
	// …
	app.UseTwitterAuthentication(new TwitterAuthenticationOptions()
	{
		AuthenticationType = "Twitter",
		Caption = "Twitter",
		SignInAsAuthenticationType = signInAsType,
		ConsumerKey = "…",
		ConsumerSecret = "…",
		BackchannelCertificateValidator = new CertificateSubjectKeyIdentifierValidator(
		new[]
			{
				"90c86a986de20942a693c0115a04866a5053cf3e"
			})
	});
}

OpenIdConnect nonce cookies expiration

Add an expiration to the nonce cookie so they get cleared out even if login fails.
https://katanaproject.codeplex.com/workitem/402

Facebook relogin with more permissions?

This is not a bug, but can't seem to find a nice way to solve the problem, so I'm asking here.
I use Facebook login form my users, so, they are asked to authorize basic permissions (email, name) at login. And these permissions are set in app startup with a FacebookAuthenticationOptions object.
But for a small group of users I need to request more permissions from Facebook, (facebook page, cover, etc). My plan is to try and relogin to Facebook with more permissions in list, but there is no way of changing permission fields only for some users, as the original FacebookAuthenticationOptions is untouchable once it's defined.
Any suggestions?

Nuget Packages cannot be upgraded due to missing localizations

Using a rather default setup of packages, you'll run into the error

Dependencies can not be resolved. "Microsoft.Owin 3.1.0 ' is not compatible with' Microsoft.Owin.de 3.0.1 Restriction: Microsoft.Owin (= 3.0.1) '.

When trying to upgrade to the v3.1.0 release with localizations installed.
Apparently the localizations aren't updated: https://www.nuget.org/packages/Microsoft.Owin.de/

.ConfigureAwait(false)

Is there a reason for not using .ConfigureAwait(false) in the code base?

Expose ClientCertificate in IOwinRequest

For convenience. please expose the ssl.ClientCertificate as a property in IOwinRequest interface.
This is a common property which used for implementation of ClientCertificateAuthenticationHandler.

Exceptions may cause request pump leak

Unhandled exceptions in OwinHttpListener.ProcessRequestsAsync from HttpListener.GetContextAsync() may bypass decrementing _currentOutstandingAccepts and cause the request pumping loop to stop accepting new requests. However, no one has successfully captured any such exception to understand the underlying cause.

https://katanaproject.codeplex.com/workitem/418

Update MicrosoftAccount provider to new endpoints

The Live Connect API is depricated
aspnet/Security#691

Google 3.1.0 Not Working

I have updated to RC 3.1.0 however seem am still getting issues authenticating.

This is the output from a fiddler:

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom	
9452	200	HTTP	**foo.bar.com**	/Account/Login	7,712	no-cache, no-store; Expires: -1	text/html; charset=utf-8	firefox:17268			
9675	200	HTTP	**foo.bar.com**	/__browserLink/requestData/29b5633f81424b548a2fc4f5842c9006?version=2	3,026	public; Expires: Thu, 30 Mar 2017 05:05:02 GMT	application/json	firefox:17268			
9712	302	HTTP	**foo.bar.com**	/Account/ExternalLogin	0	private		firefox:17268			
9784	302	HTTP	**foo.bar.com**	/signin-google?state=j3HP3orE7tetRGbPwgzhavSX6yfRyWRtFAwQRhgWOlkGuWHrLjbt8-JKWK86dhk0i49vZDC4W5_7dmItoHdMzmJWX_56qYPNNkcJCrV2B7Z0_rYvwP8A92ioWSTlWl-pX7GNxOVnl7PF4g-VAtU9TIlk6l360mGHVFdQYZ34BBvfO-dRKkbIAJ9Fnq1K-8kx4aRreCzW_DhNLEzlvCo-JtiOSHdhMsrZ24OWsuJv5gU&code=4/cZgEy-LQH6WglN3zW5b6xtEhSVYioUxafUNWaGmBz6o&authuser=0&hd=liquidfusion.com.au&session_state=ce8761a407a452f656ccb83df50fca5a403132ae..8cd0&prompt=none	0			firefox:17268			
9785	 - 	HTTP	**foo.bar.com**	/Account/ExternalLoginCallback?error=access_denied	-1			firefox:17268

With debugging enabled this is the error:

Microsoft.Owin.Security.Google.GoogleOAuth2AuthenticationMiddleware Error: 0 : Authentication failed
System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at Microsoft.Owin.Security.Google.GoogleOAuth2AuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()

I will continue investigating and add any additional information I come across.

/signout-oidc endpoint on ASP.NET WebForms client

I have an IdentityServer4 provider and I'm trying to connect an ASP.NET WebForms 4.5.2 client using OpenIdConnect 3.0.1. Everything works fine but I'm having a problem with /signout-oidc endpoints on the WebForms client: it doesn't seem to exist. I'm getting 404 error. Interestingly, /signin-oidc does exist. I'm using same configuration for an ASP.NET Core client with the same OpenIdConnect 3.0.1 version and /signout-oidc does work there. Am I doing something wrong?

Here's the /connect/endsession/callback and /signout-oidc log from logout process using Fiddler:

GET /connect/endsession/callback?sid=5f5617803ca616c7cb247d2d30f178af&logoutId=1ea004139be63cfd7d088ef6ea1483be HTTP/1.1

HTTP/1.1 200 OK
Date: Mon, 03 Apr 2017 08:08:53 GMT
Content-Type: text/html; charset=UTF-8
Server: Kestrel
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Set-Cookie: idsrv.ClientSessions.5f5617803ca616c7cb247d2d30f178af=.; expires=Sun, 03 Apr 2016 08:08:53 GMT; path=/; httponly
Set-Cookie: LogoutMessage.1ea004139be63cfd7d088ef6ea1483be=.; expires=Sun, 03 Apr 2016 08:08:53 GMT; path=/; httponly
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline' 'sha256-u+OupXgfekP+x/f6rMdoEAspPCYUtca912isERnoEjY=';frame-src http://localhost:9869
X-Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline' 'sha256-u+OupXgfekP+x/f6rMdoEAspPCYUtca912isERnoEjY=';frame-src http://localhost:9869
Content-Length: 223

<!DOCTYPE html><html><style>iframe{display:none;width:0;height:0;}</style><body><iframe src='http://localhost:9869/signout-oidc?sid=5f5617803ca616c7cb247d2d30f178af&iss=http%3A%2F%2Flocalhost%3A3027'></iframe></body></html>

GET /signout-oidc?sid=5f5617803ca616c7cb247d2d30f178af&iss=http%3A%2F%2Flocalhost%3A3027 HTTP/1.1

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-SourceFiles: =?UTF-8?B?RDpcUHJvamVjdHNcS1lTVjNcU291cmNlXElkZW50aXR5LkF1dGhlbnRpY2F0aW9uXFRlc3RzXElkZW50aXR5LkF1dGhlbnRpY2F0aW9uLkNsaWVudC5XZWJGb3Jtc1xzaWdub3V0LW9pZGM=?=
X-Powered-By: ASP.NET
Date: Mon, 03 Apr 2017 08:08:53 GMT
Content-Length: 5089

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> 
...

Persistant cookies need to specify UTC

https://katanaproject.codeplex.com/workitem/490
aspnet/Security#780
aspnet/Security#286

facebook login still failing

I upgraded my project to version 3.1.0 and when I try to login with facebook I get an error. My other authentication(google) works fine

NullReferenceException for expired cookie when identity is rejected

Assume there is a cookie, and it is expired, sliding expiration is on, and code in method ValidateIdentity is rejecting identity. Flag _shouldRenew will still be set to true, and at the end of the request it will try to set cookie because of the flag, but there won't be identity and it will result in null reference exception when it will try to protect it.

`
protected override async Task AuthenticateCoreAsync()
.....

            bool? allowRefresh = ticket.Properties.AllowRefresh;
            if (issuedUtc != null && expiresUtc != null && Options.SlidingExpiration
                && (!allowRefresh.HasValue || allowRefresh.Value))
            {
                TimeSpan timeElapsed = currentUtc.Subtract(issuedUtc.Value);
                TimeSpan timeRemaining = expiresUtc.Value.Subtract(currentUtc);

                if (timeRemaining < timeElapsed)
                {
                    _shouldRenew = true;
                    _renewIssuedUtc = currentUtc;
                    TimeSpan timeSpan = expiresUtc.Value.Subtract(issuedUtc.Value);
                    _renewExpiresUtc = currentUtc.Add(timeSpan);
                }
            }

            var context = new CookieValidateIdentityContext(Context, ticket, Options);

            await Options.Provider.ValidateIdentity(context);

`
Here is exception details:

System.NullReferenceException: Object reference not set to an instance of an object.

Stack trace
at Microsoft.Owin.Security.DataHandler.Serializer.TicketSerializer.Write(BinaryWriter writer, AuthenticationTicket model)
at Microsoft.Owin.Security.DataHandler.Serializer.TicketSerializer.Serialize(AuthenticationTicket model)
at Microsoft.Owin.Security.DataHandler.SecureDataFormat1.Protect(TData data) at Microsoft.Owin.Security.Cookies.CookieAuthenticationHandler.<ApplyResponseGrantAsync>d__f.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.<ApplyResponseCoreAsync>d__b.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.<ApplyResponseAsync>d__8.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.<TeardownAsync>d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1.d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContextStage.d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar)
at System.Web.HttpApplication.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

How can I access "scope" property in refresh_token flow?

Hi all!

in OAuth2 https://tools.ietf.org/html/rfc6749#section-6 we may pass optional "scope" property

But in Microsoft.Owin.Security.OAuth 3.0.1 there is no way to detect this property, except ValidateTokenRequest/OnValidateTokenRequest in OAuthAuthorizationServerProvider (IOAuthAuthorizationServerProvider).
See

AspNetKatana/src/Microsoft.Owin.Security.OAuth/OAuthAuthorizationServerHandler.cs

Line 610 in 2d41a5c

TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;

. tokenEndpointRequest.RefreshTokenGrant.RefreshToken has this property Scope, but it is not used

But this method is common for any request, while for refresh_token there are:

RecieveAsync in IAuthenticationTokenProvider
and
GrantRefreshToken in IOAuthAuthorizationServerProvider

which, I assume, are more related to refresh workflow

Thanks

Add an option to exclude Request.PathBase from url generation

I'm using an IIS Module to rewrite PathBase out of the urls. The middlewares are not aware of this obviously and generate the "wrong" urls:

e.g. FacebookAuthenticationMiddleware's CallbackPath:

string redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;

Could an option be added (per middleware) to tell it to exclude Request.PathBase? Or perhaps there's a better way?

Supply an ICookieManager implementatoin for System.Web

One of the most common issues hit by users is a conflict in the response cookie header that causes values to be dropped. See http://katanaproject.codeplex.com/wikipage?title=System.Web%20response%20cookie%20integration%20issues

This can cause infinite auth loops and other hard to diagnose issues. While we can't directly solve the issue, we can provide helpers for the most common mitigation. This would involve taking the workaround code from the link above and adding it to the SystemWeb package where it could be easily referenced by apps.

We may also add ICookieManager to the other auth providers (e.g. OIDC, Facebook, etc.) as they set temporary cookies during the auth flow.

We'll need to update the wiki to show the new workaround.