Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

Owin and Commerce Manager


Has anybody got OWIN working with Commerce Manager? I am having trouble after logging in and it keeps going in a redirect loop.

I have installed OWIN on our dev site and all works without problem.

I tried installing EPiServer.Commerce.Security on Commerce Manager and added the SynchronizingProvider as described here.

Any pointers or know of any documentation (I cant seem to find any)

I haver the latest packages installed EPiServer.CommerceManager 8.16.1

Sep 15, 2015 12:41


I suspect this 

I am having trouble after logging in and it keeps going in a redirect loop.

to be a problem with IAppBuilder.Map (you redirect to the page OWIN is supposed to map)

Is there any custom code with your Owin implementation?



Sep 15, 2015 16:26

Hi Quan - Yes I think this is where the confusion lies... The EPiServer.Commerce.Security inserts default into Commerce Manager

[assembly: OwinStartup(typeof(Startup))]

namespace EPiServer.Commerce.Security
    /// <summary>
    /// Sample Startup file to be use EPiServer.Commerce.Security
    /// </summary>
    public class Startup
        /// <summary>
        /// Configuration method used by Microsoft.Owin to initialize owin process.
        /// </summary>
        /// <param name="app">The application.</param>
        public void Configuration(IAppBuilder app)
            //Enable cookie authentication, used to store the claims between requests
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                AuthenticationMode = AuthenticationMode.Active,
                LoginPath = new PathString("/Login"),
                LogoutPath = new PathString("/Logout")

The user has all roles required but problem is accessing /Apps/Shell/Pages/default.aspx

The redirect loop is which keeps appending returnUrl to it.

And the Website has this which I have put together from a few samples...

      public void Configuration(IAppBuilder app)
            const string LogoutUrl = "/util/logout.aspx";


            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Login"),
                LogoutPath = new PathString("/Logout"),
                Provider = new CookieAuthenticationProvider
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.  
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
                    OnApplyRedirect = ApplyRedirect

            // Maps the EPiServer Admin logout
                map => map.Run(
                    ctx =>
                        return Task.FromResult(0);

            // Tell antiforgery to use the name claim
            AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;



        /// <summary>
        /// Applies the redirect.
        /// </summary>
        /// <param name="context">The context.</param>
        private static void ApplyRedirect(CookieApplyRedirectContext context)
            var backendPath = Paths.ProtectedRootPath.TrimEnd('/');

            // We use the method for transferring the user to the backend login pages if she tries to go
            // to the Edit views without being navigated.
            if (context.Request.Uri.AbsolutePath.StartsWith(backendPath) && !context.Request.User.Identity.IsAuthenticated)
                context.RedirectUri = VirtualPathUtility.ToAbsolute("~/BackendLogin") +
                        new QueryString(


Appreciate if you could point me in the right direction

Sep 15, 2015 17:03

I'm trying to implement identity in with both commerce manager and the CMS but I am running into an issue.  It seems using ApplicationUserManager relies on the IUIUser interface which exists in the Episerver.Shell library.  My issue is that it seems including that library in the code is causing a runtime error when loading commerce manager.  I've spoken with support from Episerver and they have said to remove the Episerver.Shell library, which allows the site to load again, but that ends up breaking my security for OWIN and identity because of the reference to IUIUser.

Jan 31, 2017 16:16

I followed the reference provided in Quicksilver and got it working.

Think you are referencing wrong interface as OWIN references IdentityUser - see

Feb 01, 2017 20:30

I am able to get it working somewhat now, but the problem is that I can't administer users anymore since that isn't tied into the default Epi screens.  When you use the Cms.Ui.AspNetIdentity package, you can integrate into there very nicely.  However, doing so causes the error I was refering to within commerce.

Feb 01, 2017 21:17

I think this is a new feature as I followed this example and this and built my own Epi User Managment screens. 

Also here it states there are 2 ways to use the customs user model. Maybe worth trying just inheriting from ApplicationUser

Hope this helps

Feb 02, 2017 10:43
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.