4

I have an ASSP.NET MVC web application MyWebApp which doesn't allow anonymous access to any page. There is an IdentityServer4 configured and once the user tries to open MyWebApp, he gets redirected to IdentityServer login page. (Hybrid Flow) The user does not login and stays on that IdentityServer login page for long enough so the Nonce cookie on MyWebApp expires (15min default lifetime). If he then proceeds with the login in IdentityServer (successful) and gets redirected back to MyWebApp, he gets the following error:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

But since the user was successfully authenticated in IdentityServer, when he tries to access MyWebApp again, he gets redirected to IdentityServer and back to MyWebApp without having to enter username/password again. Yet the initial error is annoying. Anyone ever had such issue when the 'login' flow has started and the user goes 'AFK' for long enough that the 'Nonce' cookie expires and he can't finish the final validation? What would be a good way to handle that scenario?

Thanks in advance!

Borislav Borisov
  • 378
  • 1
  • 3
  • 12

4 Answers4

7

The error IDX21323: RequireNonce is '[PII is hidden]' is telling you that the URL that you were on at the time you made a request from MyWebApp to IdentityServer is different from the URL that IdentityServer redirected you to after authentication.

I encountered this error by having MyWebApp listening on multiple URLs. For example, the user would connect to www.MyWebApp.com. He would click Login and would be rediected to IdentityProvider. He would log in to IdentityProvider which would then issue him a cookie proving his identity for www.MyWebApp.com. However, IdentityProvider would then redirect him to my authentication endpoint (which I specified in my app) at MyWebApp.com. The change in the URL meant that his cookie was inaccessible to MyWebApp.com` and the app would throw the error.

When I then refreshed the page, I was already on MyWebApp.com. Now, when he clicked Login, he would be redirected to IdentityProvider. Because he was already logged in there, a cookie would be generated and given to MyWebApp.com (which is different from the last time when the user connected on www.MyWebApp.com). When IdentityProvider POSTed to my auth endpoint, the cookie was accessible to the application and the user was successfully logged in.

TL;DR. The URL that user connects on must match exactly the URL that your IdentityProvider redirects to after a successful authentication. Depending on how your app is configured, different cookie rules will apply. In my case, a difference in encryption (http vs https) or in subdomain (www vs no-www) caused users to seemingly have the IDX21323 error PII is hidden at random

enter image description here

David M
  • 91
  • 1
  • 5
0

I simply updated my Microsoft.Owin.Security.OpenIdConnect package to match the version numbers on my other OWin packages.

Microsoft.Owin [4.1.1]
Microsoft.Owin.Security [4.1.1]
Microsoft.Owin.Security.Cookies [4.1.1]

, and the error was gone.

Thomas Thesbjerg
  • 1
0

In my case exception IDX21323 was related to the use of the http protocol in the development environment.

The current implementation in OpenIdConnectAuthenticationHandler (when redirecting to the authorization server) sets a nonce cookie for the user agent that has a hard-coded SameSite=None attribute. If the agent does not communicate via https protocol, the Secure attribute is not specified for the cookie:

new CookieOptions
{
  SameSite = SameSiteMode.None,
  HttpOnly = true,
  Secure = Request.IsSecure,
  Expires = DateTime.UtcNow + Options.ProtocolValidator.NonceLifetime
}

Consequence of this implementation is that the user agent rejects nonce cookie (according to specification if SameSate is None, Secure attribute is required).

It is therefore necessary to use https in the production environment. In the development environment, however, it is possible to use the Firefox browser as a user agent, which in the standard configuration does not require a secure context for SameSite=None.

tibx
  • 840
  • 13
  • 20
-1

Inside OpenIdConnectAuthenticationNotifications you can capture the error and just move on to the next middleware:

AuthenticationFailed = (context) =>
                {
                    if (context.Exception.Message.Contains("IDX21323"))
                    {
                        context.SkipToNextMiddleware();
                        return Task.FromResult(0);
                    }
                    return Task.FromResult(0);

If I can recall, IDS3 requires a nonce but IDS4 does not

GH DevOps
  • 305
  • 1
  • 11