ASP.NET Core Identity is used as authentication and autorization provider for an ASP.NET Core application. Futhermore, I want to provider SSO for a third party php app. The ASP.NET Core app uses Cookie authentication. Both apps are on the same domain, so my Idea is to validate the session cookie from ASP.NET using PHP, which would sign in the user automatically in the PHP app, when he is logged in in the NET Core app.
To be more clear, this is how cookie authentication is configured:
services.Configure<IdentityOptions>(options => {
options.Cookies.ApplicationCookie.CookieName = "SessionAuth";
options.Cookies.ApplicationCookie.LoginPath = new PathString("/Account/Login");
});
So after an login using the ASP.NET Core app, I simply could use $_COOKIES['SessionAuth'] in PHP to get the cookie.
The big question is: How can I validate those cookie and get known to which user it belongs?
From other applications like vBulletin I know, that the value of the session cookie is stored in some database table with the corresponding UserId. So Its easy to validate those information. In ASP.NET Core Identity, I couldn't find any table with the value of my SessionAuth cookie.
So I think its some kind of calulcated or encrypted string, maybe similar to JWT. Since my ASP.NET Core app does a targeted query to the AspNetUsers table with my UserId, it must be possible to decrypt those string, which result in at least the Id of the logged in user.
I also started looking at the source code provided by the .NET fundation, which seems to confirm my theory. But I'm not really aware of yet how ASP.NET Core Identity authentication cookies works in detail, so that I'm able to decrypt the cookie. Seems like Identity uses machine keys to decrypt those cookies, which are stored in the file system of the server.
