4

I'm developing a web endpoint protected by a legacy openid connect server, the configuration on the client website (startup.cs) is the following:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
     AuthenticationScheme = "oidc",   
     SignInScheme = "Cookies",   
     ClientId = "client1", 
     GetClaimsFromUserInfoEndpoint = false,
     ProtocolValidator = new OpenIdConnectProtocolValidator() { 
                             RequireStateValidation=false, RequireState=false },
     ResponseType = "token id_token",
     ResponseMode= OpenIdConnectResponseMode.Fragment,
     Configuration = new OpenIdConnectConfiguration() { 
                         AuthorizationEndpoint = "https://server/oauth/v2/authorize" }, 
     RequireHttpsMetadata = false, 
     SaveTokens = false 
});

I'm obliged to set response_type as token id_token only.

After requesting an endpoint protected with the [Authorize] attribute, I correctly get redirected to the authorization server which provides a form for the user to login. Once the user logs in, the authorization server returns a 302 to the client website appending a fragment with the access token and the id token.

Example:

https://localhost:44341/signin-oidc#access_token=384b1c07-4a59-41e3-894f-266e46680f0c
&expires_in=3600
&token_type=Bearer
&id_token=<random_jwt>
&id_token_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&state=CfDJ8JU8TffTfA9Jnq6JVvmsltccnGVaA_IX4LQhGjz_n3f0NMqSBfcdctjtUAtDpCN7F4Wy9pqq8ikQo-KVpaQlOnOwPpqZWUDWfKeLvOeFQ9-GI6eq1RbE_13Hrtdwm1Ijy0N7nwmbuO47uK_Zg0NfzcfngHVvfUB0ccrAAE79EcKVaiuXXcwCQwtflsp1kFdCou4aJVY9zo2-w_wwTJpEuyw_c-WulPD3bY8ZQLiGpmt8Wao9VQsBmOBoMB-zCBf9o4ot2jloyqpnXamOx6mCFvWizxILvXVH1pbYEc58SFRKe4MSW3png8xSqTdN1gZ6iKBy6BPtq_v5XLsbL68cCng
&scope=openid

I get an error from the openidconnect middleware (web client) saying:

OpenIdConnectAuthenticationHandler: message.State is null or empty. AggregateException: Unhandled remote failure. ... (OpenIdConnectAuthenticationHandler: message.State is null or empty.)

The error is clear, it cannot find the state parameter, indeed, because it is not in the querystring anymore but on the fragment. However I explicitly set it to expect the response in the fragment. And even if this is not working, I also set an option to skip the state validation, but it doesn't work either.

I'm I missing something?

M. Jahedbozorgan
  • 6,914
  • 2
  • 46
  • 51
Jorge Alvarado
  • 2,664
  • 22
  • 33
  • I am having the same issue. Did you make any progress on this? – Bryan Lewis Jul 25 '17 at 20:38
  • I know this was a while ago now, but I am stuck on this very issue - I have a response that includes a fragment with the state info but I am getting a correlation error being reported that says State property not found from the OpenIdConnectHandler – Mark Bennetts Jan 09 '19 at 17:56

0 Answers0