Microsoft.Owin.Security.OpenIdConnect AuthenticationTicket is null on AuthorizationCodeReceived

Question

I'm using OpenIdConnectAuthentication with code flow to implement the OpenIdConnect login. But on the AuthorizationCodeReceived, the property notification.AuthenticationTicket is null value. Any advice? Here is my startup:

public void Configuration(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            string auth0RedirectUri = "http://localhost:44335/";
            app.UseCookieAuthentication(new CookieAuthenticationOptions(){});
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    AuthenticationType = "OIDC",
                    ClientId = "qKu-JoUguDjzrvBm*****",
                    ClientSecret = "w7JPnYYIttT8aDYPrZL9lvQzNaXP0QDqyVMu4AHZYWkUrczG4WJThmo3blHEvfz*******",
                    Authority = "https://******/authorize",
                    RedirectUri= auth0RedirectUri,
                    ResponseType = OpenIdConnectResponseType.Code,
                    Scope =  OpenIdConnectScope.Email+" "+OpenIdConnectScope.OpenIdProfile,

                    TokenValidationParameters = new TokenValidationParameters()
                    {
                        ValidateIssuer = false // This is a simplification
                    },
                    Notifications = new OpenIdConnectAuthenticationNotifications
                    {
                        AuthorizationCodeReceived = (notification) =>
                        {
                            Debug.WriteLine("*** AuthorizationCodeReceived");

                            //TODO: get access token from token endpoint later

                            var authClaim = new ClaimsIdentity("OIDC", ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType);
                            authClaim.AddClaim(new System.Security.Claims.Claim("Email","[email protected]"));

                            // notification.AuthenticationTicket is null 
                            notification.AuthenticationTicket = new AuthenticationTicket(authClaim, notification.AuthenticationTicket.Properties);

                            return Task.FromResult(0);
                        },
                        AuthenticationFailed = (context) =>
                        {
                            Debug.WriteLine("*** AuthenticationFailed");
                            return Task.FromResult(0);
                        },
                    },
                    UsePkce = false
                });
        }

Answer 1

I was recently diving into OpenIDConnect on old ASP.NET framework and had a lot of truble as well.

It will be very difficult to answer you question - becasue I don't know what exactly you want to achieve. Basically as far as I understand the flow AuthorizationCodeReceived gets triggered when user logs-in on authentication server side and gets navigated back with Code query parameter. So at this point AuthenticationTicket should be null because nothing really set it yet.

Now developer has a choice if you want to handle CodeRedemption themselves or leave that to the OpenIDConnectAuthenticationHandler.

I personally did not use first option. I used this step only to transform code into jwe token because my Auth server requires it. But if your choice is to handle it youself then probably you need to do something like in samples available on Katana github project:

AuthorizationCodeReceived = async n =>
{
   var _configuration = await n.Options.ConfigurationManager.GetConfigurationAsync(n.OwinContext.Request.CallCancelled);
   var requestMessage = new System.Net.Http.HttpRequestMessage(System.Net.Http.HttpMethod.Post, _configuration.TokenEndpoint);
   requestMessage.Content = new System.Net.Http.FormUrlEncodedContent(n.TokenEndpointRequest.Parameters);
   var responseMessage = await n.Options.Backchannel.SendAsync(requestMessage);
   responseMessage.EnsureSuccessStatusCode();
   var responseContent = await responseMessage.Content.ReadAsStringAsync();
   Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage message = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage(responseContent);

   n.HandleCodeRedemption(message);
}

https://github.com/aspnet/AspNetKatana/blob/beb224c88712b08ce45f1d14bb8cf0cd9d4a8503/samples/Katana.Sandbox.WebServer/Startup.cs#L157

If you will choose not to do it yourself then you will have to set RedeemCode = true on OpenIdConnectAuthenticationOptions. Then handler will get the token and will set context properly.

There is not much of a documentation anywhere but for me very usefull was Katana project on github. Almost whole flow is implemented in https://github.com/aspnet/AspNetKatana/blob/main/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs You can check what is the flow and what each Notfication is used for.

Unfortunately I cannot help you much more because each flow might be different and only way to say in detail what needs to be done is to reproduce your specific environment.