0

I have an OIDC authentication server based on Identity Server 4 which allows federation on to an external identity provider.

                services.AddAuthentication()
                .AddOpenIdConnect(extIDP.AuthScheme, extIDP.AuthDisplay, options =>
                {
                    options.SignInScheme = extIDP.Options.SignInScheme;
                    options.SignOutScheme = extIDP.Options.SignOutScheme;
                    options.Authority = extIDP.Options.Authority;
                    options.ClientId = extIDP.Options.ClientId;
                    options.ClientSecret = extIDP.Options.ClientSecret;
                    options.ResponseType = extIDP.Options.ResponseType;
                    options.CallbackPath = extIDP.Options.CallbackPath;
                    options.SignedOutCallbackPath = extIDP.Options.SignedOutCallbackPath;
                    options.RemoteSignOutPath = extIDP.Options.RemoteSignOutPath;
                    options.RequireHttpsMetadata = extIDP.Options.RequireHttpsMetadata;
                    options.SaveTokens = true;
                    options.Scope.Clear();
                    options.Scope.Add(IdentityServerConstants.StandardScopes.OpenId);
                    options.Scope.Add(IdentityServerConstants.StandardScopes.Profile);
                    options.Scope.Add(IdentityServerConstants.StandardScopes.Email);
                    options.Scope.Add(JwtClaimTypes.Role);
                });

Where extIDP comes from some configuration. So this works just fine, but we have a client with an IDP that doesnt support a response mode of form_post (which is the default used in the setup above), so if I add in an extra line to the config to set the ResponseMode to "fragment" then we should be fine but it does not work.

I end up with a Correlation Error being reported With verbose logging enabled in our Auth Server we get

Warning: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler ".AspNetCore.Correlation." state property not found

Note this is occurring when running against two test auth servers locally so has nothing to do with load balancing problems. I also added a cookie policy to ensure it wasnt being cause by a strict cookie policy. So I am currently a bit stuck.

Mark Bennetts
  • 183
  • 1
  • 10
  • Actually thinking about it - is "fragment" response mode ever going to work? The url fragment containing the id token is never going to be sent by the browser in the redirect request is it so the reported error is right there wont be any state info either. The only way it can work is if there is some javascript in the browser that extracts the fragment info and posts it to the server instead – Mark Bennetts Jan 10 '19 at 09:32
  • Consider reading this:https://stackoverflow.com/questions/14707345/oauth2-query-string-vs-fragment for clarification and play with ResponseType. You are right, that must work with a single page app and impicit flow. – d_f Jan 10 '19 at 12:48
  • Thanks - I think I am coming to the conclusion that only form_post makes sense in this federated gateway scenario – Mark Bennetts Jan 11 '19 at 09:37

0 Answers0