'OpenIdConnectProtocolValidator - nonce error

I'm using OpenIdConnect authentication on my azure website (azure active directory, c#, MVC) and I'm randomly getting this error

IDX10311: requireNonce is true (default) but validationContext.Nonce is null. A nonce cannot be validated. If you dont need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false

I am using the KentorOwinCookieSaver which as far as I understand, was a solution to this problem, but obviously I'm wrong because it keeps on happening. How can I stop this ?

In the ConfigureAuth method I have this line

app.UseKentorOwinCookieSaver();


Solution 1:[1]

According to your description, I followed this tutorial and used this code sample to check this issue. The initialization for authentication middle ware would look as follows:

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        Authority = authority,
        PostLogoutRedirectUri = postLogoutRedirectUri,
        RedirectUri = postLogoutRedirectUri,
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthenticationFailed = context => 
            {
                context.HandleResponse();
                context.Response.Redirect("/Error?message=" + context.Exception.Message);
                return Task.FromResult(0);
            }
        }
    });

Using fiddler to capture the network traces when logging, you could find the OpenIdConnect.nonce cookie would be issued to the browser before the OpenID Connect middleware starting the authentication request as follows:

enter image description here

After user entered the credentials and consent the permissions, the authorization_code,id_token,state would be posted to your specified RedirectUri, then some validation would be executed and generate the new cookie and remove the previous OpenIdConnect.nonce cookie as follows:

enter image description here

IDX10311: requireNonce is true (default) but validationContext.Nonce is null. A nonce cannot be validated. If you dont need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false

I used Microsoft.Owin.Security.OpenIdConnect 3.0.1 to test this issue. Per my understanding, you need to make sure your OpenIdConnect.nonce cookie has been successfully issued to your browser. For example, if your cookie issued to https://localhost:44353/, while the RedirectUri is set to http://localhost:4279, then I would encounter the similar issue:

enter image description here

Or you could try to explicitly set OpenIdConnectProtocolValidator.RequireNonce to false to disable check the nonce.

Solution 2:[2]

Solution 1:

  • This is the "Katana bug", install Kentor.OwinCookieSaver from nuget package manager

  • Add below lines inside the configuration method

    app.UseKentorOwinCookieSaver();
    app.UseCookieAuthentication(new CookieAuthenticationOptions());

My complete config FYR:

 public void Configuration(IAppBuilder app)
    {
        try
        {

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseKentorOwinCookieSaver();                

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOktaMvc(new OktaMvcOptions()
            {
                OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
                ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
                ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
                AuthorizationServerId = ConfigurationManager.AppSettings["okta:AuthorizationServerId"],
                RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
                PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
                GetClaimsFromUserInfoEndpoint = true,
                Scope = new List<string> { "openid", "profile", "email" },
            });
        }
        catch (Exception ex)
        {
            //Error
        }
    }

Solution 2:

  • Check whether you have SSL in your application if yes check whether binding happened properly.
  • If application runs on http it'll cause this error.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Bruce Chen
Solution 2 Prasanna Khurvilla