2

Background
We have ASP.Net Core application which is in production for last 1 year. Recently we have converted our application from VS 2015 to VS 2017. So we moved from json based project to csproj based project. We also upgraded .NET Core runtime framework to 1.1.2.

The application is using centralize IdentityServer3 for authentication using OpenIDConnect.

After the conversion we published the application to our development server. The application is hosted under IIS. So we installed the following on development server:

  • Microsoft .NET Core 1.1.2 – Runtime (x64)
  • Microsoft .NET Core 1.0.5 & 1.1.2 – Windows Sever Hosting

On development server everything went fine and we tested the application without any issue.

Then we install the same .Net Core framework 1.1.2 and Windows Server Hosting on production server. And copied the same published folder from development server to production server, and update the appsettings.json accordingly

ISSUE
In production when we login, the identity server gets into infinite loop of authentication. Fiddler shows several round trips from identityServer to web site. Each roundtrip keeps adding .AspNetCore.OpenIdConnect.Nonce and .AspNetCore.Correlation.oidc into cookies and ultimately i get bad request error because of max request size.

There are several posts (here here,here, here)related to the same issue. And solution is to downgrade Microsoft.Owin.Security.OpenIdConnect to 3.0.0
However my client application is not classic ASP.NET application its ASP.NET Core application which is using Microsoft.AspNetCore.Authentication.OpenIdConnect 1.1.2 And also note that its working on Development server with the same centralize identity server 3 and the same version of Microsoft.AspNetCore.Authentication.OpenIdConnect 1.1.2

So I am guessing the following could be wrong:

  1. I may have forgot to install something on production server ( for sure I have installed .NET Core 1.1.2 runtime and Windows Server Hosting, I am not sure anything else i need to be installing on production)
  2. I may have not configured IIS properly (but what?)
  3. On production server How do I know under what version the application is running under. ( in Visual Studio in .csproj its <TargetFramework>netcoreapp1.1</TargetFramework> but how do i know what version the published code is using)
  4. The only difference between development server and production server is, the development server has classic .NET Framework 4.7 installed and production has classic .NET Framework 4.6.2 installed. However I think that should not cause issue because the application is ASP.NET Core application not classic .NET Framework application

I am exhausted with all ideas, Any help will be really appreciated

LP13
  • 30,567
  • 53
  • 217
  • 400

2 Answers2

2

Found it.. Basically we had code on OnTokenValidated event that gets the authenticated user's information from local db. And that was failing

var connectOptions = new OpenIdConnectOptions()
            {              
                AutomaticChallenge = true,
                Authority = authority,
                ClientId = clientId,
                ResponseType = IdentityConstant.ResponseType,
                AuthenticationScheme = IdentityConstant.OpenIdAuthenticationScheme,
                SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,               
                CallbackPath = IdentityConstant.CallbackPath,
                Events = new OpenIdConnectEvents()
                {
                    OnTokenValidated = async context =>
                    {                        

                        // get email claim
                        var emailClaim = context.Ticket.Principal.Claims.SingleOrDefault(x => x.Type == IdentityClaimTypes.Email);
                        if (emailClaim == null)
                        {
                            throw new NoEmailClaimException("Could not find email claim.");
                        }

                        // this line was failing
                        var userInfo = await domainService.GetInfo(emailClaim.Value).ConfigureAwait(false);

                        // Do some stuff here                        
                    }
                }
            };

We fixed the DB connection issue and then all is good

LP13
  • 30,567
  • 53
  • 217
  • 400
0

This might not be the actual issue but I have hit this before in context of Azure Active Directory. In my case, I was only getting into this redirect loop when I visited the application without HTTPS. I am guessing it had something to do with cookie and its secure flag. I could be mistaking.

I forced HTTPS on my application through an IIS URL Rewrite rule and then the problem was solved.

See this GitHub issue comment for more context.

tugberk
  • 57,477
  • 67
  • 243
  • 335