OWIN OpenID connect client gets caught in redirection loop

Question

I have apps "A" and a test app with minimal code "B" that use an OWIN startup file to point to our identity server (Thinktecture). This is in both startup files:

public void Configuration(IAppBuilder app)
    {
        JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
        var identityServerUri = System.Configuration.ConfigurationManager.AppSettings["IdentityServerUrl"].ToString();
        var redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"].ToString();
        var postLogoutRedirectUri = System.Configuration.ConfigurationManager.AppSettings["PostLogoutRedirectUri"].ToString();

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies",
            ExpireTimeSpan = TimeSpan.FromMinutes(120),
            SlidingExpiration = true
        });
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = "myclientid",
            Authority = identityServerUri,
            RedirectUri = redirectUri,
            PostLogoutRedirectUri = postLogoutRedirectUri,
            ResponseType = "id_token",
            Scope = "openid profile email",
            UseTokenLifetime = false,
            SignInAsAuthenticationType = "Cookies"
        });
    }

Both apps will authenticate and login fine for a long time if it's just me trying on several different machines after clearing cookies each time. When other people start to try logging in, it might continue working, but then eventually everyone will start getting stuck in a redirection loop where you get the identity server login page, hit login, then it goes back to the application as it normally would but the application doesn't run any code at all (Home/Index is the first thing that is called and it never makes it there where I have logging setup) it simply redirects back to the identity server, identity server checks and sees they are logged in and redirects them back until finally the header response gets too big and it throws a bad request error. At this point, the following will fix the redirection problem (if I stop the loop to prevent the header response from getting to large):

Browsing to minimal app "B" I created for testing purposes. Does nothing but authenticate with identity server but after that I can browse to app "A" without getting stuck in the loop.
Restarting the web site in IIS.

Clearing cookies after the redirection problem does not resolve the issue and the problem persists until I do 1 or 2 above.

Right now I'm at a loss as to where I should look next to fix the issue. I can't even find a way to consistently recreate the issue other than asking several other to login throughout the day. The issue has to be with the website right, not the identity server? Here's an example of what the request looks like in both scenarios:

login/redirect success http://i68.tinypic.com/11gmzaq.jpg

redirect loop problem (just keeps doing this over and over): http://i64.tinypic.com/mrztc5.jpg

Thanks for any guidance anyone can give!!!!

@SausageFingers this looks like it https://stackoverflow.com/a/35172649/5233410 — Nkosi, Feb 01 '18 at 01:00
@Nkosi My problem is slightly different in that I can't replicate on demand. Seems to happen after several hours when a few dozen users have logged in, or are logging in. I will try the SystemWebCookieManager trick and see how we go. — SausageFingers, Feb 01 '18 at 09:04
A Bit more info. I managed to capture a network trace in Chrome when it was stuck in a redirect loop and compared it with a similar trace when things are working. When Identity Server 4 authenticates and hands back to the client `.../signin-oidc`, the Response Header does _not_ have any `set Cookie:` headers. When I look at the same Response Headers in a working scenario, I see `set-cookie:OpenIdConnect.nonce...` and `set-cookie:.AspNet.Cookies=...` I assume that this is why the redirect is getting triggered - because the authentication cookie is not present. — SausageFingers, Feb 01 '18 at 11:19
See [here](http://tinypic.com/r/m0fif/9) for when in the redirect loop, compared with the same step [here](http://tinypic.com/r/w15u6h/9) when working — SausageFingers, Feb 01 '18 at 11:56
Maybe this [SO question and answer](https://stackoverflow.com/questions/36795259/too-many-cookies-openidconnect-nonce-cause-error-page-bad-request-request-too) would be worth checking. It is not clear if the "cookieless" response is a 400 Bad Request response but if it is, then you may have a similar problem. — Sixto Saez, Feb 07 '18 at 14:30
What version of IdentiyServer4 are you using? There are two versions one for .Net Core 1.x and the latest for .Net Core 2.x — aaronR, Feb 07 '18 at 15:08
Sorry didn't see that people were asking about this issue! There was no resolution that I could find other than creating a bare-bones site that does nothing other than authentication and then redirection to the main site. Also this was on version 3 of identity server. I think I read version 4 fixes this but not sure yet. — user4523, Feb 08 '18 at 15:31
@SixtoSaez, thanks for the link, I hadn't seen this one and in the connecting app there are some ajax callbacks - I will investigate this further by killing the auth cookie then triggering a callback to see what happens. — SausageFingers, Feb 09 '18 at 10:14
@user4523 - weirdly, since posting, the error hasn't come back, which is odd because it was happening several times a day prior to this, and I havent changed anything in IdentityServer4. Good for the end users but frustrating for me. This may be one of those bugs that comes back the day I go on leave! — SausageFingers, Feb 09 '18 at 10:16
There is a client setting that allows for user claims to be included in the ID Token, 'AlwaysIncludeUserClaimsInIdToken', what do you have this set to for your client(s)? — aaronR, Feb 09 '18 at 14:51

OWIN OpenID connect client gets caught in redirection loop

0 Answers0