Skip to content

Suppress login redirects for API clients in WIF with Thinktecture IdentityModel

February 19, 2013

The FAM (federated authentication module) can be configured to automatically redirect http requests to the STS for authentication when a user is unauthorized. This is a common setting and is configured with the passiveRedirectEnabled attribute in web.config as such:

<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="true" />
    <wsFederation requireHttps="true"
                  passiveRedirectEnabled="true"
                  realm="http://localhost/rp"
                  issuer="https://localhost/sts/issue/wsfed"
        />
  </federationConfiguration>
</system.identityModel.services>

The above configuration will force all unauthorized requests to be redirected, but for active API clients like Ajax and WebAPI the redirect is not useful and the unauthorized status code of 401 is preferred. The FAM supports disabling the redirect with the AuthorizationFailed event and it could be handled like this in global.asax:

void WSFederationAuthenticationModule_AuthorizationFailed(
    object sender, AuthorizationFailedEventArgs e)
{
    e.RedirectToIdentityProvider = false;
}

The hard part about implementing the above event handler is to logic to determine which requests are browser requests (and should be redirected) and which requests are API requests (and should not be redirected). APIs calls can be detected by checking for either the “X-Requested-With” http header (for Ajax requests) or if the http handler being used on the server is the HttpControllerHandler class (which is used by WebAPI).

Fortunately this logic has been implemented for you in Thinktecture IdentityModel. This feature is enabled with a SuppressLoginRedirectsForApiCalls API which should be invoked from the Init method in global.asax:

public override void Init()
{
    PassiveModuleConfiguration.SuppressLoginRedirectsForApiCalls();
}

The redirect mentioned above will also be issued for other resource requests such as CSS and JavaScript files. If it is desirable to not redirect those requests, then the FAM http module can be configured to only run for requests that execute .NET code on the server (and not for static file requests). This is done by setting the preCondition attribute to “managed” for the FAM’s http module registration in web.config:

<system.webServer>
  <modules>
    <add name="WSFederationAuthenticationModule"
         type="System.IdentityModel.Services.WSFederationAuthenticationModule,
               System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral,
               PublicKeyToken=b77a5c561934e089"
         preCondition="managed"
    />
  </modules>
</system.webServer>

HTH

17 Comments leave one →
  1. RonyK permalink
    April 30, 2013 2:57 am

    Hi, for some reason the WSFederationAuthenticationModulemodule in my mvc website redirects to my IDP also when a role based access control fails, even though the user is authenticated (This causes a redirect loop between the RP and the IDP). I even tried to set the e.RedirectToIdentityProvider to false when the user is authenticated (which is what seems to be done in the WSFederationAuthenticationModule itself. But it didn’t help. The WSFederationAuthenticationModulemodule seems to ignore the value of e.RedirectToIdentityProvider and perform the redirect. Any ideas what can cause this kind of behaviour?

    • RonyK permalink
      April 30, 2013 3:21 am

      A little update: It seems that PassiveModuleConfiguration.SuppressLoginRedirectsForApiCalls() causes this behavior. After removing it, the expected behavior returned, getting a 401 response when a user tries to access a controller that requires a role the user does not belong to. I guess that a consideration whether the user is authenticated should be added to the SuppressLoginRedirectsForApiCalls() logic.

  2. December 3, 2013 12:37 pm

    Hi There, is there any equivalent of preCondition=”managed”
    in

    to
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule

    (WIF 3.5)? Thanks

  3. Daniel permalink
    April 25, 2014 3:23 pm

    Hi! Anyway to do the same using katana/web api? I’ve tried with no luck… =/
    Thanks!!

  4. May 9, 2014 2:47 pm

    Hi BrockAllen,

    We have a claim aware application created using Windows Identity foundation and working with ADFS.

    Now we want to use windows integrated login(Windows authentication) in this application. We tried to set authentication type to windows in web.config, but application is not using it(ignoring the tag). I believe that is because WSFederationModule bypasses WindowsAuthentication Module.

    If i am correct ,Is there some way by which i can enable windows authentication in a WIF application, so that the Enterprise user can seemlessly login using Windows Integrated authentication without any further prompt.

    As you have overridden wsfederation module, so it raises my hope.
    Kindly advise the best way to implement windows integrated login in WIF claim aware application.

    Regards

    TicArch

    • May 11, 2014 9:51 am

      I’m confused why you need or want integrated windows auth if you’re already using ADFS, since ADFS (deployed in the intranet) should already provide the integrated windows authentication flow. But to your question — If you want integrated windows auth in your app, then disable the WSFereratedAuthenticationModule.

      • seekbhaskar permalink
        May 12, 2014 1:21 am

        Hi Brockallen,

        Let me clarify your doubt. I am trying to put windows authentication and claim aware both in my application because i am using my own login page in my application instead of ADFS login page.
        Our users are both enterprise user and external users. So i need both windows integrated and claim aware. As you said i can have only one.
        So my query here is – Is there some way by which i can check in incoming request whether user has domain credentials or not. Can i override WSfederationmodule to get the windows credentials first , if they don’t exist, pass on to WSfederationmodule for creating claimprincipal.

        Does it make sense, as i am not sure where exactly in the pipeline can I get the windows/non-windows user identification.

        Hope i am clear now.
        Cheers
        Ticarch

        • May 12, 2014 8:36 pm

          So you can use claims in an app with windows auth — you don’t need to use ADFS. See this to get a little more info — it’s not exactly what you’re asking but it might help understand that claims are just built into ,NET 4.5:

          https://brockallen.com/2013/01/17/adding-custom-roles-to-windows-roles-in-asp-net-using-claims/

          • seekbhaskar permalink
            May 12, 2014 8:52 pm

            Hi BrockAllen,

            Using ADFS is a necessity for me as i have to interact with other SPs as well which are in my domain and external SPs like Amazon console and LinkedIn. I have succcessfully integrated those.
            However, this integrated windows authentication use case is causing issue for me. That’s where i needed your help. If at all I add WIF related WSfederationmodule in my application, all windows users identity is gone. It is not available anywhere. I tried to plug-in my custom module but hard luck.

            Regards
            TicArch

          • May 14, 2014 11:15 am

            If you’re doing ADFS then your app is not logging the user in and you’re externalizing it with ADFS. Yet you say you want integrated windows auth in your app which is not using WIF, so I’m confused on which you really want.

  5. August 27, 2014 8:28 am

    Hi! I found this post very helpful. Thanks.

  6. Mick Quinlan permalink
    December 4, 2015 11:53 am

    Hi Brock,

    Thanks for your article! I think it’s pointed me in the right direction. However, I have a WebAPI application where I want to protect certain routes with WIF and allow others through.

    My Web API application is a proxy providing WIF integration for another non IIS application. I’ve implemented a DelegatingHandler to process all requests and have implemented a generic “catch all” route in the following manner:

    public static class WebApiConfig
    {
    public static void Register(HttpConfiguration config)
    {
    config.Routes.MapHttpRoute(name: “Proxy”, routeTemplate: “{*path}”, handler: HttpClientFactory.CreatePipeline
    (
    innerHandler: new HttpClientHandler(), // will never get here if proxy is doing its job
    handlers: new DelegatingHandler[] { new HttpHandler() }
    ),
    defaults: new { path = RouteParameter.Optional },
    constraints: null
    );
    }

    As a result there are no physical Web API controllers as all requests go through the DelegatingHandler (HttpHandler) and on to the 3rd party application.

    My problem is that when I bypass WIF I’m hit with a Windows Authentication (WA) login screen. I have WA enabled on my web application configuration through its Authentication options on IIS. For this type of scenario what kind of authentication should be enabled for my web application in IIS?

    Any help would be very much appreciated!!!

    Regards.

    Mick

    • January 2, 2016 11:27 am

      If you have a WA screen, then your app in IIS is configure to issue those challenge headers. I guess I don’t know the real requirements, so it’s hard to say how it should be configured.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: