Geek Answers Handbook

OWIN OpenIdConnect Middleware IDX10311 nonce could not be verified

I have an application using OWIN middleware for OpenIdConnect. The startup.cs file uses the standard implementation of app.UseOpenIdConnectAuthentication. The cookie is set in the browser, but with the error:

IDX10311: RequireNonce is "true" (default), but validationContext.Nonce is null. The nonce function cannot be verified. If you do not need to check nonce, set OpenIdConnectProtocolValidator.RequireNonce to false.

I found that when starting a violinist, as in most debugging projects, this happens. The error returns, but if I return to the site, everything will work, and my user will be authenticated. Has anyone seen this behavior when starting a violinist?

With fiddler:

  • SecurityToken The entered notification in OpenIdConnect runs twice.
  • After the second pass through error IDX10311 is called
  • The browser contains a valid cookie, returning to the page, I can view the valid User.Identity data.

Work without a violinist:

  • SecurityTokenValidated runs once in OpenIdConnect
  • Error cleared, controller action continues to be redirected after Uri authentication
  • The cookie is also valid, and the User.Identity data is correct.

Ideas? I can get around this without starting the violinist, but when debugging, it would be nice to run the violinist to check the traffic.

+15
source share
8 answers

I know it has been a while on this. My specific problem was related to error IDX10311 related to authentication with IdentityServer while running Fiddler (traffic inspector proxy server). I added special owin middleware to catch and swallow IDX13011 in case the hostname contained "localhost". Ignoring this exception allowed us to use the site with fiddler as a workaround. I think this causes interruptions in the authentication process, although where we need to press Enter in the address bar of the browser on the callbacks in order for this to resume, this only affects the development.

Here we used the invoke method in middleware to absorb the error. I must note that we sometimes saw this mistake in production. there is no explanation of the reason, but I have a feeling that this is due to users in IE browsers.

public override async Task Invoke(IOwinContext context) { try { await Next.Invoke(context); } catch (Exception ex) { _errorHandling = new ErrorHandling(); if (ex.Message.Contains("IDX10803")) { //do something here to alert your IT staff to a possible IdSvr outage context.Response.Redirect("/Error/IdSvrDown?message=" + ex.Message); } else if(ex.Message.Contains("IDX10311") && context.Request.Host.Value.Contains("localhost")) { //absorb exception and allow middleware to continue } else { context.Response.Redirect("/Error/OwinMiddlewareError?exMsg=" + ex.Message + "&owinContextName=" + lastMiddlewareTypeName); } } }
0
source

Maybe this is the reason?

Hello, I think I found the root cause of this problem.

I summarize my findings:

  1. OpenIdConnect.nonce.OpenIdConnect cookie problem

  2. This cookie is set from the application (let it be called β€œID Client”) as soon as the OpenID middleware starts an authentication session.

  3. The cookie should be sent back from the browser to the "ID Client" as soon as authentication is complete. I assume that this cookie is necessary for double verification from the point of view of client ID (i.e., did I really start the OpenID Connect authorization flow?)

  4. A lot of confusion in me was caused by the term "Nonce", used both in this cookie and in the OpenID Connect stream from the ID server.

  5. The exception, in my case, was caused by a missing cookie (not a one-time server ID number), simply because the browser did not send it back to the "identifier client"

So the main root, in my case, was this: the OpenIdConnect.nonce.OpenIdConnect cookie was not sent back to the identifier client by the browser. In some cases (e.g. Chrome, Firefox and Edge) the cookie was sent correctly, while in others (IE11, Safari) it didn’t.

After much research, I found that the problem was the cookie restriction policy defined in the browser. In my case, the "client id" is embedded in the <iframe> . This leads to the fact that the "ID Client" will be considered as a "third-party client", since the user did not go to this URL directly in the main window. Since these are third-party cookies, cookies must be blocked for some browsers. Indeed, the same effect can be obtained in Chrome by setting "Block third-party cookies."

So, I have to conclude that:

a) If the iframe is mandatory (as in my case, because the "ID clients" are applications that should run inside the graphical content of our main platform application), I think the only solution is to catch the error and handle it using the page requesting the inclusion of third-party cookies.

b) If the iframe is optional, just open the "ID Client" in a new window.

Hope this helps someone because I'm crazy!

Marco

+6
source

I had the same problem, but when returning Microsoft.Owin.Security.OpenIdConnect to version 3.0.1, the problem was resolved

+5
source

I know his old post, but I had this problem, and nothing worked for me, after I lost consciousness for a solution to make my corporate application work, I eventually fixed it by setting the multitask option to yes in azure (in Azure, select: register applications> settings> properties, set multi-tenanted to yes and click save).

I hope this helps someone, did not see anyone mention it.

+2
source

For me, changing the response URL in Azure Active Directory works.

This happens when you enable SSL, because it only changes the login URL to the HTTPS URL, and the response URL remains the same HTTP URL.

When you try to access your application using the https URL, it sets a nonce cookie in your browser and contacts Azure AD for authentication. After authentication, the browser must provide access to this cookie. But because the URL and the response URL are different, the browser does not recognize your application and does not provide access to this cookie, and therefore the application throws this error.

+1
source

I noticed this error when starting IIS Express in the background, when I switched to hosting in full IIS. When I turned off IIS Express, my error went away.

0
source

The cookie rewrite rule in the web.config file is to ensure that cookies on the same site give this cryptic exception. Disabling this rule solved this.

0
source

The workaround that worked for me for an application protected through Azure Active Directory was to log out (by going to the sites / Account / SignOut page), and then I was able to go back to the home page and login in order. Hope this helps someone.

0
source

More articles:


All Articles