tags:

views:

538

answers:

1
+3  Q: 

DotNetOpenAuth - OpenId login redirect hangs when relying party is trusted site

I am using the DotNetOpenAuth MVC relying party sample code (with some cosmetic changes) to integrate OpenId into an ASP.NET MVC application.

The code works great except for the following situation: when the relying party (my app) is a trusted site under IE, and I'm hitting that site from any location other then the host machine, the redirect to the OpenId provider hangs.

Specifically, the code reaches the point where the controller method is returning an ActionResult that redirects to the provider and then IE just sits there and cycles.

I know it is possible to support OpenId authentication in MVC even if the relying party is a trusted site because I tested out stackoverflow itself and it worked fine.

I used Fiddler to look at the traffic, and no request is ever made out to the provider when my application is a trusted site.

Any ideas?

The line in the sample DotNetOpenAuth code in question is:

return openid.CreateRequest(Request.Form["openid_identifier"]).RedirectingResponse.AsActionResult();

Update #1 In Fiddler, I can see that the controller action I am calling returns a 302 response with a location header for the redirect, but nothing at all happens after that. I retested with stackoverflow.com and with nerdbank.org and saw the exact same failing behavior on those two sites. I added both as trusted sites, completely closed out of IE, then when I went back to those sites I could NOT log in successfully.

I am running IE 8 on Windows 7. I can provide the full Fiddler logs if that is helpful.

Also, I've seen mention in various places that when a site is "trusted", IE blocks redirects to non-trusted domains.

Update #2

I added the open id provider to my trusted sites and now the redirect happens, so the login process works. So this really does seem to be a user agent (IE) issue.

Update #3

I found this link: link text

It seems to describe a similar problem. I followed the suggested resolutions and set both my trusted sites and regular internet zone to be in "Protected Mode" in IE. That seems to have resolved my issue.

+2  A: 

Trusted Sites is strictly an IE feature and has no effect on the execution at the RP. So I suspect the RP is sending the instruction to redirect to the user agent. Fiddler can confirm or refute this. If IE has a 'feature' that breaks redirecting from a trusted site to an untrusted site, then I'm not sure there's anything the RP can do about that.

Incidentally, StackOverflow uses DotNetOpenId (predecessor to DotNetOpenAuth), so the fact that you say it's working for you suggests there's something different about your configuration that perhaps you can control to fix.

Update: Win7 RC had a bug in IE8 and Win7 RTM has the fix. If you're running RC, sit tight for RTM to be available. You may also retry this scenario on any other RTM Windows operation system and IE browser.

Andrew Arnott  2009-08-25 03:18:43
You're using IE and the nerdbank.org/rp login works for you when nerdbank.org is a trusted site? I thought stackoverflow was working, but I figured out I had to completely log out, add it to my trusted site and then restart IE to have a clean test.
Peter M  2009-08-25 04:20:34
I logged out of nerdbank.org/rp, closed the browser (after making it a trusted site), and reran the test. It still works for me. Happy to investigate it though, if you can suggest anything else to help me repro it.
Andrew Arnott  2009-08-25 04:57:22
Ah, just noticed your updates to the question. I would agree with you that this is entirely an IE issue and the RP can do nothing about it. Can you provide a reference to what you found about IE redirects?
Andrew Arnott  2009-08-25 04:58:48
I updated my original question with a link. Once both trusted sites and internet sites were set to the same level of Protected Mode (on/off), the redirect worked.
Peter M  2009-08-25 13:50:01
I updated my answer to include what I just learned from MSFT: Win7 RC had a bug that sounds like what you're describing. Win7 RTM has the fix.
Andrew Arnott  2009-08-25 17:34:12
Thank you Andrew. I'm marking your answer as accepted. Thanks for the tip on Win 7 RC. I will confirm that behavior tomorrow with the RTM build.
Peter M  2009-08-26 04:05:59

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data