Sometimes when using Microsoft Azure AAD for authentication the website goes into a redirect permaloop.
So far, this has been caused by two different things for me - so I will collate the causes and solutions below:
- HTTP vs HTTPS - Since the Microsoft login server is running on HTTPS you must also run your website on HTTPS, since the login cookie will be issued using the secure flag, which prevents it from being read using HTTP. There are various ways to force SSL on your website, from global filters to URL re-writing, but in general make sure to setup your site URLs using HTTPS in the Azure portal and to browse to HTTPS.
- OWIN Middleware Cookie issue - There is a known issue with the OWIN middleware which means that it's cookies are sometimes lost when issued in conjunction with some other cookie, e.g. the session cookie. The easiest solution to this one I have found is to install a NuGet package called "Kentor.OwinCookieSaver" and then add the following line to startup.auth.cs
public void ConfigureAuth(IAppBuilder app)
app.UseKentorOwinCookieSaver(); // <-- ADD THIS LINE