I'm working on an sso between our CMS (Kentico 11, portal engine) and a new AMS that uses Auth0 for authentication. After no success with numerous different approaches to integrate custom external authentication directly, I made significant progress with this approach:
-
Create a standalone MVC application based on the Auth0 ASP.NET(OWIN) quick start here: https://auth0.com/docs/quickstart/webapp/aspnet-owin - the sso works correctly here
-
Configure this application as a child application of the Kentico site - this required adding some location tags in the Kentico web config so the MVC app wouldn't inherit most of the settings
-
Configure the Kentico app to be able to recognize the authenticated user from the child app - this required adding the same machine key to the web config for both applications, and adding a Startup.Auth.cs class to the Kentico application with the same cookie authentication code as the MVC app
Eventually the proper redirects will be wired up to the correct global authentication events, but for now I'm mostly working in the context of a test page with the following flow:
-
When you load the page, if the user is not logged in, they're redirected to the login action in the MVC app (which then redirects to Auth0).
-
After successfully logging in to Auth0, the user is redirected back to the native callback in the MVC app which handles the token exchange and setting the claims, and then finally redirected back to the test page on the Kentico site. Everything is good so far, as the Kentico site correctly recognizes the authenticated user and claims from the child MVC app at this point.
-
Check for an existing Kentico user by username (we'll be using the external AMS ID as username). If the user exists, update name and email; otherwise, create a new user and set the info accordingly. Then programmatically log the user in to the Kentico site using AuthenticationHelper.AuthenticateUser("username", true);
This seemed to work at first - if I do a check for the current Kentico user on the same page right after logging them in, they're recognized correctly. However, if I navigate to another page, the Kentico user is lost, and it appears that's because the .ASPXFORMSAUTH cookie set by the AuthenticationHelper.AuthenticateUser method is not persisting.
This is the code I currently have in the Kentico Startup.Auth.cs file:
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
LoginPath = new PathString(MVCLoginURL),
CookieSameSite = SameSiteMode.Lax
});
When I comment that out and try programmatically logging a specific user in on my test page instead, that works as expected - the .ASPXFORMSAUTH cookie persists, and the Kentico user continues to be recognized on other pages.
Any help identifying the conflict or how to make these two sets of cookies play nicely together is much appreciated. I'm very new to Auth0, OWIN, and OpenID, and I realize the Kentico Portal Engine is becoming obsolete and we won't be supporting it for too much longer, but for now I need to make this work with our existing sites. Thanks!