please bear with me: i am pretty new to all of this
i am working on integrating openid connect with a pair of applications developed by the company.
we are using custom/company specific openid connect libraries that are, i think, essentially wrappers around Microsoft.Owin.Security.OpenIdConnect and Owin.Security.OpenIdConnect.Server
in the idP application web.config, we have something like:
<location path="." inheritInChildApplications="false">
<authentication mode="Forms">
<forms loginUrl="~/Login" name="{....}" protection="All" path="/" slidingExpiration="true" requireSSL="false" defaultUrl="~/Home" cookieless="UseCookies" />
</authentication>
<authorization>
<deny users="?" />
<!-- denies anonymous users to all pages, except those defined under location nodes -->
</authorization>
</location>
plus a bunch of location nodes to allow/deny access to specific pages/resources
the problem is that when the openid connect stuff tries to access /.well-known/openid-configuration when the user is not logged in (or, it seems in the process of logging in), the response is a 302 redirect to the login page
obviously this is causing problems when a JSON response is expected
i have tried adding a location node to the web.config:
<location path= "~/.well-known/openid-configuration">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
(i also tried with path = "~/.well-known")
but i am still getting redirected to the login page
to be clear, there is no actual directory /.well-known in the idP application; the file seems to be constructed somewhere in Owin.Security.OpenIdConnect.Server.
Yes, it is.
Try calling
app.UseStageMarker(PipelineStage.Authenticate)immediately after registering the OIDC server middleware to prevent ASP.NET from applying the authorization policies before it has a chance to be invoked:Note that you shouldn't need an exception for
~/.well-known/openid-configurationin yourweb.configwhen usingapp.UseStageMarker().