GetConfigurationAsync for OpenIdConnectConfiguration returns Object reference not set exception

Question

I am running version 6.28.1 of Microsoft.IdentityModel.Protocols.OpenIdConnect in a 4.8 .NET Framework project.

Trying to get the configuration to validate a token and get an exception that I can't dig into:

var discoveryDocument = await configurationManager.GetConfigurationAsync(ct);

I have a POC sample of this code in a .NET6 project that works great, but when migrating this to my own application I can't get past this exception.

I tried downgrading to 5.5 version, as well as upgrading to 6.29, however I get the same errors no matter what I change.

Answer 1

Incidentally since 18 Apr 2023 a similar issue started occurring for me, however might be unrelated to your issue. I wasted days on investigating where GetConfigurationAsync within OWIN never yielded with no logged error/warning, see https://github.com/aspnet/AspNetKatana/blob/dbe159e43e2eee44f315f26268943e8ab5a4f60d/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs#L148)

I finally found out that regardless of server best practice TLS configurations (which is TLS 1.2+), OWIN still contacts Microsoft's servers for pre-authentication configuration fetch (GetConfigurationAsync) via old TLS version (1.0 / 1.1)

Enforcement through machine registry entries will not work (will be ignored for unknown reasons). The only working method I found is to add to your application startup (Application_Start in Global.asax) a list of permitted TLS versions, like so

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13 | SecurityProtocolType.Ssl3;

which is not recommended, since you lock-in the security protocols, but given the malfunction in the OWIN library a working trade-off.

Similar scenario: Anyway to restrict Owin HTTPS to TLS 1.2?