HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

Configure OWIN authentication

Describes OWIN authentication, which is a standardized interface between web servers and web applications to loosen the tight coupling between ASP.NET and IIS.

A startup function sets up the hosting environment by registering a set of middleware with the application. For each request, the application calls each of the the middleware components with the head pointer of a linked list to an existing set of handlers. Each middleware can add one or more handlers to the request handling pipeline by returning a reference to the handler that is the new head of the list. Each handler is responsible for remembering and invoking the next handler in the list.


  • OWIN – An abstraction between Web servers and framework components.
  • Middleware – A function called in the OWIN pipeline.

To configure OWIN authentication, set the authentication type in the system.web section of web.config.

<authentication mode="None"></authentication>

To configure OWIN authentication, create a Startup file in your project that handles the configuration of the different authentication middleware.

using System;
    using Microsoft.AspNet.Identity;
    using Microsoft.AspNet.Identity.Owin;
    using Microsoft.Owin;
    using Microsoft.Owin.Security.Cookies;
    using Microsoft.Owin.Security.Google;
    using Owin;
    using WebApplication1.Models;
    namespace WebApplication1
        public partial class Startup
            // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
            public void ConfigureAuth(IAppBuilder app)
                // Configure the db context, user manager and signin manager to use a single instance per request
                // Enable the application to use a cookie to store information for the signed in user
                // and to use a cookie to temporarily store information about a user logging in with a third party login provider
                // Configure the sign in cookie
                app.UseCookieAuthentication(new CookieAuthenticationOptions
                    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                    LoginPath = new PathString("/Account/Login"),
                    Provider = new CookieAuthenticationProvider
                        // Enables the application to validate the security stamp when the user logs in.
                        // This is a security feature which is used when you change a password or add an external login to your account.  
                        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager<ApplicationUser>, ApplicationUser>(
                          validateInterval: TimeSpan.FromMinutes(30),
                          regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))
                // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
                app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
                // Enables the application to remember the second login verification factor such as phone or email.
                // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
                // This is similar to the RememberMe option when you log in.
                // Uncomment the following lines to enable logging in with third party login providers
                //    clientId: "",
                //    clientSecret: "");
                //   consumerKey: "",
                //   consumerSecret: "");
                //   appId: "",
                //   appSecret: "");
                //app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
                //    ClientId = "",
                //    ClientSecret = ""