I’m trying to allow authentication through 3rd-party identity providers like Facebook, Google and Microsoft. I have followed the documentation on this topic and I can successfully direct users for authentication from each of these providers using direct links (still working on customizing the Okta-hosted sign-in page).
Authenticating through Okta works fine. However, for the three external identify providers, after I’ve entered valid credentials and I get redirected back to my /authorization-code/callback endpoint I get the following error:
OpenIdConnectAuthenticationHandler: message.State is null or empty.
I’m using ASP.NET Core 3.1 and Startup.ConfigureServices setup like the following:
var authenticationBuilder = services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(JwtBearerDefaults.AuthenticationScheme)
.AddOktaMvc(new OktaMvcOptions
{
OktaDomain = Configuration.GetValue<string>("OktaDomain"),
ClientId = Configuration.GetValue<string>("OktaClientId"),
ClientSecret = Configuration.GetValue<string>("OktaClientSecret"),
Scope = AuthorizationScopes.All
});
Digging around StackOverflow suggests this is a problem with my callback configuration. I’m using the
https://{My Okta Org}/oauth2/v1/authorize/callback Url and I have confirmed that this is listed as a valid redirect Url for each three identity providers.Again, the beginning of the authentication process succeeds:
- Navigating to https://{My Okta Org}/oauth2/v1/authorize?idp={My Okta-provided IDP Id}… successfully directs me to the proper identity provider
- After entering valid credentials I get redirected to the Url specified in the original call (through the redirect_uri query parameter). That redirect_uri is listed in my Okta application as on of the ‘Login redirect URIs’.
Then my application throws the exception.
Any ideas?
Is it possible to attach a custom handler onto whatever event the OpenIdConnectAuthenticationHandler is attached to, to see what’s coming back from the identity provider? I’m expecting a payload with an id_token but I’m not sure what I’m receiving. Furthermore, I don’t recall seeing anywhere I can customize the nonce or state. I mention this because the exception calls out message.State as null or empty. I believe the nonce can be omitted from the query but that state is required. As I understand it, this field can be anything but I certainly have not configured the web application to expect anything related to state.
Thank you in advance for any guidance.
Paul