I'm using OWIN's external authentication providers in my ASP.Net MVC 5 / WebApi 2 project and I've hit a strange problem.

The login workflow is exactly like here on SO. User hits the login page, picks a provider and gets logged in. My problem is that the first click on a provider redirects back to the same login page:

http://localhost:57291/Account/Login?ReturnUrl=%2fAccount%2fExternalLogin

This would make sense if the ExternalLogin action would be lacking the AllowAnonymous attribute.

When the user clicks a second time everything works.

I've also tried that with different browsers and the problem is consistent across Chrome, IE11 and Firefox.

Login.cshtml:

@using (Html.BeginForm("ExternalLogin", "Account", new { ReturnUrl = ViewBag.ReturnUrl }))
{
    <fieldset>
        <legend>@Strings.ExternalAuthenticationProvidersDescription</legend>
        <p>
            @foreach (var p in Model.ExternalAuthenticationProviders)
            {
                <button type="submit" name="provider" value="@p.AuthenticationType" title="Log in using your @p.Caption account">@p.Caption</button>
            }
        </p>
    </fieldset>
}

AccountController.cs

public class AccountController : Controller
{
  ...

    [AllowAnonymous]
    [HttpPost]
    public ActionResult ExternalLogin(string provider, string returnUrl)
    {
        return new ChallengeResult(provider, Url.Action("ExternalLoginCallback", "Account", new
        {
            loginProvider = provider, 
            ReturnUrl = returnUrl
        }));
    }
  ...
}

ChallengeResult.cs:

public class ChallengeResult : HttpUnauthorizedResult
{
    public ChallengeResult(string provider, string redirectUrl)
    {
        LoginProvider = provider;
        RedirectUrl = redirectUrl;
    }

    public string LoginProvider { get; set; }
    public string RedirectUrl { get; set; }

    public override void ExecuteResult(ControllerContext context)
    {
        context.HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties
        {
            RedirectUri = RedirectUrl
        }, LoginProvider);
    }
}

FilterConfig.cs

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());

        // make all api controllers secure by default
        filters.Add(new AuthorizeAttribute());
    }
}

Turns out the issue was that my project initially started out as an MVC 4 application which had this in web.config causing the issue:

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

I think both OWIN and Forms authentication was active at the same time.

I have the same issue that occurs when i update the ASPNet.Web.Pages.Web.Data 3.1.1 nuget to any later versions. With 3.1.1 it is works! I found the solution here.

As Forms Authentication was added i was being redirected to Login Page. So, removing this code helped

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

but i had to add this line as well

<system.webServer>
   <validation validateIntegratedModeConfiguration="false" />
   <modules>
      <remove name="FormsAuthentication" />  <-- added this line to remove it completely --> 
   </modules>
</system.webServer>

hope this helps someone.