OnAuthenticated get's called twice for windows authentification


My OnAuthenticated() handler (on custom DefaultAuthEvents class implementing IAuthEvents) always get’s triggers twice when logging in with windows authentication.

Is this a possible bug in SS?


How many requests are you seeing sent in the raw HTTP Headers?

I can see only one request being sent to the server.

Some debugging info if it helps:

First time my OnAuthenticated() is called from here:

AuthenticateService.cs line: 188 
new AuthenticateAttribute().ExecuteAsync(base.Request, base.Response, request).Wait();

Second time my OnAuthenticated() is called from here:

AuthenticateService.cs line: 198
var response = Authenticate(request, provider, session, authProvider);

Are you calling the /auth service manually? Can you provide the raw HTTP Request/Response headers of the request where OnAuthenticated() is called twice?

Fiddler auth session

The Fiddler session is showing multiple POST auth requests to /auth/windowsauth.

But why are explicitly authenticating against /auth/windowsauth? The WindowsAuth AuthProvider authenticates per request when calling [Authenticate] requests so it’s not clear why you’re authenticating against /auth/windowsauth?

Windows authentication is explicit to a single route on our server (web.config):

<location path="api/auth/windowsauth">
          <anonymousAuthentication enabled="false"/>
          <windowsAuthentication enabled="true"/>

Otherwise we also support other types of authentication (un/pw, certificate).
[Authenticate] attribute is not used in our services. Authentication is handled by cross cutting concerns in our internal code (variant of CQS).

Ok I’m still not clear why you’re authenticating against /auth/windowsauth? The IAuthWithRequest services are not supposed to explicitly call the /auth Service to authenticate themselves, they’re supposed to call a normal [Authenticate] Service where they will authenticate on each request. So I’m not sure of the purpose, but you likely want to call a [Authenticate] Service and have that implementation do what you need. Are you saving the UserSession? Because IAuthWithRequest Auth Providers typically don’t save User Sessions beyond the lifetime of the request.

We save user’s session on authentication and later on verify each request if it has a valid session.