ASP.Net Core exception when authenticating through 3rd party identity providers

paul.varcholik · April 25, 2020, 8:00pm

I’m trying to allow authentication through 3rd-party identity providers like Facebook, Google and Microsoft. I have followed the documentation on this topic and I can successfully direct users for authentication from each of these providers using direct links (still working on customizing the Okta-hosted sign-in page).

Authenticating through Okta works fine. However, for the three external identify providers, after I’ve entered valid credentials and I get redirected back to my /authorization-code/callback endpoint I get the following error:

OpenIdConnectAuthenticationHandler: message.State is null or empty.

I’m using ASP.NET Core 3.1 and Startup.ConfigureServices setup like the following:

var authenticationBuilder = services.AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultSignOutScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
               .AddCookie(JwtBearerDefaults.AuthenticationScheme)
               .AddOktaMvc(new OktaMvcOptions
               {
                   OktaDomain = Configuration.GetValue<string>("OktaDomain"),
                   ClientId = Configuration.GetValue<string>("OktaClientId"),
                   ClientSecret = Configuration.GetValue<string>("OktaClientSecret"),
                   Scope = AuthorizationScopes.All
               });

Digging around StackOverflow suggests this is a problem with my callback configuration. I’m using the
https://{My Okta Org}/oauth2/v1/authorize/callback Url and I have confirmed that this is listed as a valid redirect Url for each three identity providers.Again, the beginning of the authentication process succeeds:

Navigating to https://{My Okta Org}/oauth2/v1/authorize?idp={My Okta-provided IDP Id}… successfully directs me to the proper identity provider
After entering valid credentials I get redirected to the Url specified in the original call (through the redirect_uri query parameter). That redirect_uri is listed in my Okta application as on of the ‘Login redirect URIs’.

Then my application throws the exception.

Any ideas?

Is it possible to attach a custom handler onto whatever event the OpenIdConnectAuthenticationHandler is attached to, to see what’s coming back from the identity provider? I’m expecting a payload with an id_token but I’m not sure what I’m receiving. Furthermore, I don’t recall seeing anywhere I can customize the nonce or state. I mention this because the exception calls out message.State as null or empty. I believe the nonce can be omitted from the query but that state is required. As I understand it, this field can be anything but I certainly have not configured the web application to expect anything related to state.

Thank you in advance for any guidance.

Paul

phi1ipp · April 28, 2020, 1:07am

State should be returned back from authorization server the same way it was sent by your application in the original request. So you can check that, to make sure it’s not lost on the callback, which normally should not happen to the big names like you mentioned

paul.varcholik · April 28, 2020, 4:54pm

Thanks for the response Philipp.I do indeed get a state parameter back from the identity provider and it is definitely the same value that I supply.

For example, if I send the user to an authorization url like:

https://{My Okta Org}/oauth2/v1/authorize?idp={My Okta-provided IDP Id}&client_id={My Okta application Client ID}&response_type=code&response_mode=fragment&scope=openid&redirect_uri=https%3A%2F%2Flocalhost%3A44345%2Fauthorization-code%2Fcallback&state=ASDFASDF&nonce=nonce

And the user successfully authenticates with the identity provider, the redirect url would be:

https://localhost:44345/authorization-code/callback#code=oFIV2gwa-j_Ae3i3fqSG&state=ASDFASDF

But then I get the Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty.

Diego · July 17, 2020, 4:22pm

Could you solve?
The same thing happens to me, and only on mobile phones. From the web it works correctly.

Thanks.

Diego · July 17, 2020, 4:23pm

Could you solve?
The same thing happens to me, and only on mobile phones. From the web it works correctly.

Thanks.

paul.varcholik · July 17, 2020, 5:35pm

Hello Diego,

I did resolve the issue but I did so be rewriting my authentication using the sample project at https://github.com/okta/samples-aspnetcore/tree/master/samples-aspnetcore-3x/social-login/okta-aspnetcore-mvc-example

Paul

system · January 24, 2024, 11:37pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.