'OpenIdConnectProtocolValidator - nonce error
I'm using OpenIdConnect authentication on my azure website (azure active directory, c#, MVC) and I'm randomly getting this error
IDX10311: requireNonce is true (default) but validationContext.Nonce is null. A nonce cannot be validated. If you dont need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false
I am using the KentorOwinCookieSaver which as far as I understand, was a solution to this problem, but obviously I'm wrong because it keeps on happening. How can I stop this ?
In the ConfigureAuth method I have this line
app.UseKentorOwinCookieSaver();
Solution 1:[1]
According to your description, I followed this tutorial and used this code sample to check this issue. The initialization for authentication middle ware would look as follows:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
}
});
Using fiddler to capture the network traces when logging, you could find the OpenIdConnect.nonce cookie would be issued to the browser before the OpenID Connect middleware starting the authentication request as follows:
After user entered the credentials and consent the permissions, the authorization_code
,id_token
,state
would be posted to your specified RedirectUri, then some validation would be executed and generate the new cookie and remove the previous OpenIdConnect.nonce cookie as follows:
IDX10311: requireNonce is true (default) but validationContext.Nonce is null. A nonce cannot be validated. If you dont need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false
I used Microsoft.Owin.Security.OpenIdConnect 3.0.1 to test this issue. Per my understanding, you need to make sure your OpenIdConnect.nonce cookie has been successfully issued to your browser. For example, if your cookie issued to https://localhost:44353/
, while the RedirectUri is set to http://localhost:4279
, then I would encounter the similar issue:
Or you could try to explicitly set OpenIdConnectProtocolValidator.RequireNonce to false to disable check the nonce.
Solution 2:[2]
Solution 1:
This is the "Katana bug", install Kentor.OwinCookieSaver from nuget package manager
Add below lines inside the configuration method
app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions());
My complete config FYR:
public void Configuration(IAppBuilder app)
{
try
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOktaMvc(new OktaMvcOptions()
{
OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
AuthorizationServerId = ConfigurationManager.AppSettings["okta:AuthorizationServerId"],
RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
GetClaimsFromUserInfoEndpoint = true,
Scope = new List<string> { "openid", "profile", "email" },
});
}
catch (Exception ex)
{
//Error
}
}
Solution 2:
- Check whether you have SSL in your application if yes check whether binding happened properly.
- If application runs on http it'll cause this error.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Bruce Chen |
Solution 2 | Prasanna Khurvilla |