I created a custom SecurityTokenServiceHttpHandler to handle requests for authentication through Azure Active Directory. It works fine for most cases, but definitely gets wonky in some spots.
The main issue I'm having has been narroed down to the presence of .ASPXAUTH. When SetAuthCookie is called, it's creating the FedAuth tokens and unfortunately the ASPXAUTH token as well, which I believe is used for "persist my login" via the normal case.
The cookie itself is not cleared through SecurityManager's logout features (Logoff, DeleteAuthCookies).
The major side effect of not being able to kill this cookie is that a redirect loop is eventually caused by the presence of an ASPXAUTH cookie, telling the authentication end point you're OK, but having invalid FedAuth tokens. The claims service will keep routing to the ProcessRequest, which will fall through to "normal behavior" and try to route to the return uri, where the user is unauthorized to go (Permissions set to only authenticated users), then back to claims service and so forth.
1. Is there a way to set the auth cookie without the login persistence cookie?
2. Is this expected behavor?
My logout is now:
LogoutLink.Click += (sender, args) =>
// Redirect to the current URL and let Sitefinity throw it to the unauthorized page.
Context.Response.Redirect( Context.Request.Url.AbsoluteUri, true);
Note, I now catch the case in ProcessRequest to prevent the described scenario, but again it feels heavy handed.
// If they're hitting the login service after the system considers them auth'd, log them out. There's a
// real solid chance that the claims aren't properly aligned and the user is going to be redirected infinitely.
// Do secure AAD token grabbin'.
// Redirect back to the claims service, which will mark the user as authenticated and route to the return URI.