0

When I try to authenticate I get the following error

2021-10-01T11:19:46.162027114Z: [INFO]  : Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
2021-10-01T11:19:46.162072114Z: [INFO]        An unhandled exception has occurred while executing the request.
2021-10-01T11:19:46.162078813Z: [INFO]        System.Exception: An error was encountered while handling the remote login.
2021-10-01T11:19:46.163227804Z: [INFO]         ---> System.Exception: Unable to unprotect the message.State.
2021-10-01T11:19:46.163254904Z: [INFO]           --- End of inner exception stack trace ---
2021-10-01T11:19:46.163261804Z: [INFO]           at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
2021-10-01T11:19:46.163830499Z: [INFO]           at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
2021-10-01T11:19:46.163847599Z: [INFO]           at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
2021-10-01T11:19:46.163869499Z: [INFO]           at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)

I have created an core mvc site and it is working fine in stage and dev but the prod is failing. We are using linux docker to host on azure app services. We investigated and found that this issue is happening when azure tries to run multiple instances in prod. We found a link below which say about data protection but I need to understand in detail what I need to do. Azure AD Authentication in Kubernetes Unable to unprotect the message.State

In startup.cs the authentication is configured in following way

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(options =>
                {
                    Configuration.Bind("AzureAD", options);
                    options.AccessDeniedPath = new PathString("/Download");
                    options.Events ??= new OpenIdConnectEvents();
                    options.Events.OnTokenValidated = async (context) =>
                    {
                       //code to get some data from local database
                    };
                });
agarwal
  • 46
  • 4

1 Answers1

0

which say about data protection but I need to understand in detail what I need to do.

Thank you travis.js , posting your suggestion as an answer to help other community members.

"I believe you are getting the Unable to unprotect the message.State error because one of your OIDC providers is trying to decrypt/unprotect the message state of the other one. (The message state is just a random string to help with security.)

I suggest that you name the AuthenticationSchemes for each OIDC provider like oidc-demo and oidc-master. Then the external providers should send you back to the corresponding signin-oidc-demo and signin-oidc-master endpoints.

--

Turns out this answer was basically, correct. When using multiple OIDC providers you need different AuthenticationSchemes AND CallbackPath values:

.AddOpenIdConnect("oidc-google", options =>
  {
    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.SignOutScheme = IdentityServerConstants.SignoutScheme;
    options.CallbackPath = "/signin-oidc-google";
    ...
  }
.AddOpenIdConnect("oidc-microsoft", options =>
  {
    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.SignOutScheme = IdentityServerConstants.SignoutScheme;
    options.CallbackPath = "/signin-oidc-microsoft";
    ...
  }

Note that the authentication middleware will magically handle any CallbackPath that's configured, so it doesn't need to be handled explicitly.

If you don't differentiate OIDC providers and use separate callback paths, they may try to sign in with the same scheme and the cryptography won't match and only the first OIDC provider registered in your code will work."

For more information please refer this Microsoft documentation : Azure AD Authentication and authorization error codes

AjayKumarGhose
  • 4,257
  • 2
  • 4
  • 15