I am stuck.

I have a custom Umbraco controller which inherits from RenderMvcController and when the Index() action method is hit a file is returned. This works, but what I want to do is to protect it by decorating the action with an AuthorizeAttribute and then requiring the user to authenticate.

namespace MyNamespace.Controllers
{
    public class MyModelController : RenderMvcController
    {
        [Authorize]
        public ActionResult Index(RenderModel model)
        {
            // ...
        }
    }
}

The authentication is to be made using OWIN and OpenId Connect against an Azure AD B2C app. This also works and is tested, but in a non-Umbraco context.

I have read numerous threads and code relating to the subject, but I am struggling to integrate it within Umbraco. I have a custom startup class which inherits from UmbracoDefaultOwinStartup. I register a custom route to my AuthController and configure OIDC via IAppBuilder.UseOpenIdConnectAuthentication().

But I need the Umbraco glue and have problems understanding how I should configure the cookies. I have checked that the startup Configuration() method is invoked.

namespace MyNamespace
{
    public class CustomOwinStartup : UmbracoDefaultOwinStartup
    {
        public override void Configuration(IAppBuilder app)
        {
            base.Configuration(app);
            ConfigureAuth(app);

            RouteTable.Routes.MapRoute(
                "CustomAuth",
                "CustomAuth/{action}",
                new { controller = "Auth" }
            );
        }

        private void ConfigureAuth(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/CustomAuth/SignUpSignIn") // TODO: What should I put here?
            });
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
            app.UseOpenIdConnectAuthentication(
                // Passing options that are tested and working
            );
        }
    }
}

And then I have my auth controller which is very simple for the time being. I have no requirement to sync the auth info with Umbraco users.

namespace MyNamespace.Controllers
{
    public partial class CustomAuthController : Controller
    {
        public CustomAuthController() : base()
        {
        }

        public void SignUpSignIn()
        {
            if (!Request.IsAuthenticated)
            {
                HttpContext.GetOwinContext().Authentication.Challenge();
                return;
            }

            Response.Redirect("/"); // TODO: Maybe this should redirect me back to original route MyModel/Index in some way
        }
    }
}

If I run this and try to via my attribute-decorated custom Umbraco controller I get this error:

Page not found

No umbraco document matches the url '/login.aspx?ReturnUrl=MYORIGINALROUTEHTTPENCODED'. This page can be replaced with a custom 404. Check the documentation for "custom 404".

My guess is that this is because of the <authentication mode="Forms"> setting in Web.config, but if I remove this or set the attribute mode to "None", will this not impact the back-office login?

Very thankful if anyone can help me point me in the right direction!