0

enter image description here

I have written a web API in .NET core 2.0 and using openiddict. When testing the external login use case, the following steps are followed.

  1. User calls into account controller specifying their external login provider which starts the Challenge process.

/api/account/externallogin?provider=Facebook

  1. The result of the Challenge process calls back to API (ExternalLoginCallback) with successful result and redirects to the following API endpoint to return an authorization code to the client via the redirect_uri.

/connect/authorize?client_id=myClient&response_type=code&scope=offline_access&redirect_uri=http://myClient/signin-oidc";

  1. The client receives the code via the redirect_uri with code appended as shown below

http://myClient/signin-oidc?code=CfDJ8Agzs3e68m5Ev0zC5okWI7--_T13E-ULHqeUlzgmEWBcPj6PYBBzAWu0kssa0wl3OcYX-YG0jCzhLZr2Wajvjc_zJTsmK12rmRjPAzqbqu9OuMjDX-wzNQYMI0cpLW1ZuumvPZHiRP5hxWAVpgH1pu5VwdcQBTBpyOPOP0JD2Wba1VAF9iopN1YIquLkvtVXnJEEKhb1apqfJAkA_NNk2lSRxFBkq6rFn9wLEOt2y9b0fOqsJ0sqmA1jbhJVfiVPaaI8z3J8HnzFtMwNHTwgpU8gAjk9ZTeTuP86nxQZl8R-P7LgEvOs8AgTR1g_WBSZgwtPfpULV3Ib7iUn8BQ4PiDhcwVR3Wed9Utnmbx5w8iDV9-jo4QRleuH8QWmZxXqr2nyeeCKqC01VHoEGl1KJak1jcxzFg7ooZAM_yrD207n0jy-hX9dvyl6XezSND5-ltjWjM1b96iK_74X8Euf4YVlhcV2bWPzBmgBSWQydOfT_xv3HNmXQcWwXjlEcCaxzdAKTconRDUuycBsdLS1Je6cME5deT9fzp98Lt6ryuVGNtkkqGg0LcKv49JmPyiBHrQfQUOUQg8fXkCYrf7k8FG5N8e-k3X1P3NEcYFcMchxF_1s1T2lUGAfmJ3P8Yqd9j26PF-gWzQHwkcdz1ptwbIXmF-tHuQK8zmIHoa5ErB3lR5bffsZmmG77NpTT-yq82Bbl5yf32RXKunqf5rQrVF7cWX0eM1h-EDgeHiMwx2IOYkHcxK6JLcRlggDfG__wMn_vEsQwW5UJaKU1VywT3hBGvS-zmbseparILu8hGDL5DrpmLpE3a5obWsp1yCM33fb7ciYmWuwQXKldG7MWXg#=

  1. Client immediately extracts the code from the URL and posts to the following endpoint to receive access/refresh tokens, but receives an error of invalid grant with error description of The specified authorization code is invalid.

/connect/token

The following values are submitted in the post to request access token:

grant_type = authorization_code

code = CfDJ8Agzs3e68m5Ev0zC5okWI7--_T13E-ULHqeUlzgmEWBcPj6PYBBzAWu0kssa0wl3OcYX-YG0jCzhLZr2Wajvjc_zJTsmK12rmRjPAzqbqu9OuMjDX-wzNQYMI0cpLW1ZuumvPZHiRP5hxWAVpgH1pu5VwdcQBTBpyOPOP0JD2Wba1VAF9iopN1YIquLkvtVXnJEEKhb1apqfJAkA_NNk2lSRxFBkq6rFn9wLEOt2y9b0fOqsJ0sqmA1jbhJVfiVPaaI8z3J8HnzFtMwNHTwgpU8gAjk9ZTeTuP86nxQZl8R-P7LgEvOs8AgTR1g_WBSZgwtPfpULV3Ib7iUn8BQ4PiDhcwVR3Wed9Utnmbx5w8iDV9-jo4QRleuH8QWmZxXqr2nyeeCKqC01VHoEGl1KJak1jcxzFg7ooZAM_yrD207n0jy-hX9dvyl6XezSND5-ltjWjM1b96iK_74X8Euf4YVlhcV2bWPzBmgBSWQydOfT_xv3HNmXQcWwXjlEcCaxzdAKTconRDUuycBsdLS1Je6cME5deT9fzp98Lt6ryuVGNtkkqGg0LcKv49JmPyiBHrQfQUOUQg8fXkCYrf7k8FG5N8e-k3X1P3NEcYFcMchxF_1s1T2lUGAfmJ3P8Yqd9j26PF-gWzQHwkcdz1ptwbIXmF-tHuQK8zmIHoa5ErB3lR5bffsZmmG77NpTT-yq82Bbl5yf32RXKunqf5rQrVF7cWX0eM1h-EDgeHiMwx2IOYkHcxK6JLcRlggDfG__wMn_vEsQwW5UJaKU1VywT3hBGvS-zmbseparILu8hGDL5DrpmLpE3a5obWsp1yCM33fb7ciYmWuwQXKldG7MWXg#=

redirect_uri = http://myClient/signin-oidc"

cient_id = myClient

client_secret = mySecret

scope = offline_access role email openid

Geekn
  • 2,650
  • 5
  • 40
  • 80
  • 1
    Are you 100% sure you're sending the code without altering it? The `#=` at the end looks suspicious, since tokens created by ASP.NET Core's `TicketDataFormat` are base64url-encoded. – Kévin Chalet Mar 06 '18 at 14:28
  • That is exactly what comes back in the URL. However I agreed that it looked suspicious so I removed the characters after the # and it worked. For example, the one I just created had "#_=_" at the end. I removed it and the auth code worked. – Geekn Mar 06 '18 at 14:48
  • Why do you think it always appends those characters at the end? "#_=_" – Geekn Mar 06 '18 at 14:48
  • It's a Facebook thing: https://stackoverflow.com/questions/7131909/facebook-callback-appends-to-return-url – Kévin Chalet Mar 06 '18 at 16:53
  • Once the API receives the callback from Facebook via ExternalLoginCallback (step 2 above), I redirect to the authorize endpoint in the API where the ticket is created via OpenIdConnectRequest. Isn't this what is creating the code for the client (not Facebook)? I feel like I'm doing something incorrect. – Geekn Mar 07 '18 at 01:35
  • Pinpoint, I added an image of the message flow if you would be kind enough to take a look. Really appreciate your help. – Geekn Mar 07 '18 at 03:25

0 Answers0