IOwinContext.Authentication.AuthenticateAsync(“ExternalCookie”) with Steam auth is randomly null after a couple of succuessful authentications

[Aleksa Djordjic]

Hi, so, I know this probably isn't the best place to ask this but had no luck on StackOverflow (as usual...) and this is generally the most helpful forum so far for other stuff so imma try my luck here.

 

I've been trying to implement Steam authentication in my ASP.Net web app (ASP.Net Framework 4.8, MVC 5) using Owin and its Steam auth provider (Owin.Security.Providers.Steam).

I'm sure there is a better way to do it, and if you know of one, please suggest it.

 

Followed a couple of tutorials for a similar authentication system but using GitHub and re-adapted that code to be used for login with Steam.

 

Everything is working fine with a couple of logins but after some time it just breaks and wouldn't authenticate properly.

I'm new to Owin and authenticating users with it so any tips on what I should do to debug it or anything related to Owin that I misinterpreted would be helpful.

 

I don't know how to explain much of the problem, I was trying to debug it but instead of fixing it I just got more confused, here is my code (only relevant parts):

 

HomeController.cs

public async Task<ActionResult> Login()
{
    // This is always null after a couple of succuessful authentications
    var authenticateResult = await HttpContext.GetOwinContext().Authentication.AuthenticateAsync("ExternalCookie");

    if(authenticateResult != null)
    {
        var firstOrDefault = authenticateResult.Identity.Claims.FirstOrDefault(claim => claim.Issuer == "Steam" && claim.Type.Contains("nameidentifier"));

        var idString = firstOrDefault?.Value;
        var match = _accountIdRegex.Match(idString ?? "");

        if (match.Success)
        {
            var accountID = match.Groups[1].Value;
            var steamID = ulong.Parse(accountID);

            // User Management Code

            return RedirectToAction("Index");
        }
    }

    return RedirectToAction("LoginSteam");
}

public ActionResult LoginSteam()
{
    return new ChallengeResult("Steam", Url.Action("Login"));
}

ChallengeResult.cs

internal class ChallengeResult : HttpUnauthorizedResult
{
    public ChallengeResult(string provider, string redirectUri)
    {
        LoginProvider = provider;
        RedirectUri = redirectUri;
    }

    public string LoginProvider { get; set; }
    public string RedirectUri { get; set; }

    public override void ExecuteResult(ControllerContext context)
    {
        var properties = new AuthenticationProperties { RedirectUri = RedirectUri };
        context.HttpContext.GetOwinContext().Authentication.Challenge(properties, LoginProvider);
    }
}

And Startup.cs

[assembly: OwinStartup(typeof(ApplicationNamespace.Startup))]
namespace ApplicationNamespace
{
    public class Startup
    {
        public static string steamKey = "";

        public void Configuration(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType("ExternalCookie");

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = "ExternalCookie",
                AuthenticationMode = AuthenticationMode.Passive,
                CookieName = ".AspNet.ExternalCookie",
                ExpireTimeSpan = TimeSpan.FromMinutes(5)
            });

            var webconfig = WebConfigurationManager.OpenWebConfiguration("~/");
#if DEBUG
            steamKey = webconfig.AppSettings.Settings["steamApiKey"].Value;
#else
            steamKey = webconfig.AppSettings.Settings["steamApiKeyRelease"].Value;
#endif

            var options = new SteamAuthenticationOptions
            {
                ApplicationKey = steamKey,
            };

            app.UseSteamAuthentication(options);
        }
    }
}

From what I found online, this should be universal and work with any provider, be it Google, Steam, GitHub etc. and it does... for a while... then AuthenticateAsync starts returning null each time and that is where I get confused. I couldn't find anyone having a similar problem to this online, so I would guess that something is wrong with my code instead of Owin or IIS configuration, what are relevant IIS configs that I should check before testing this again?

 

Thank you up front for anyone that tries to help, it means a lot!

[Aleksa Djordjic]

9 hours ago, BlueScope819 said:

So as you know, authentication takes place with a cookie. I think that perhaps your line

 

 ExpireTimeSpan = TimeSpan.FromMinutes(5) 

 

is causing the problem, as the cookie that it places in your browser expires after that time which means that you no longer will have the auth token in your browser. Try changing that to 30 instead of 5 and see if that helps.

Yeah, that got me a bit confused though... I thought that it would generate a new cookie for each new login, right?

One thing that I didn't mention is that I was also trying on different browsers and got different results: Edge, Chrome (Mobile) wouldn't login at all and Firefox, Chrome, DuckDuckGo (Mobile) always worked for a bit and then failed, although I tested those before the ones that didn't fail.

 

Anyways, I will try it and report back what I got, will try to space out logins as much as I can because it seemed to break over time.

Thanks

[Aleksa Djordjic]

Tried this

17 hours ago, BlueScope819 said:

So as you know, authentication takes place with a cookie. I think that perhaps your line

 

 ExpireTimeSpan = TimeSpan.FromMinutes(5) 

 

is causing the problem, as the cookie that it places in your browser expires after that time which means that you no longer will have the auth token in your browser. Try changing that to 30 instead of 5 and see if that helps.

Didn't fix it...
I can log in once or twice, after that its always just null

[Aleksa Djordjic]

Just wanna close this thread, here is what I did in the end.
Couldn't figure out how to fix it so I just switched to .Net Core and used a NuGet package that I found, it worked so... I guess that is kind of a solution