Could not create SSL/TLS secure channel (IDX10803)

dotnet

#1

Hi Folks,
I am trying to integrate my application with OKTA. my Startup.cs code is getting executing without any exception but when i am trying to access the pages decorated with [Authorize] attribute i am getting below error:

The request was aborted: Could not create SSL/TLS secure channel.

and when i am refreshing the error page i am getting below message on page:

IDX10803: Unable to create to obtain configuration from: ‘https://dev-783652.oktapreview.com/oauth2/default/.well-known/openid-configuration’.

Web.config keys:

<!-- 1. Replace these values with your Okta configuration -->
<add key="okta:ClientId" value="0oaeayyauxUOe7YxR0h7" />
<add key="okta:ClientSecret" value="<removed>" />
<add key="okta:Issuer" value="https://dev-783652.oktapreview.com/oauth2/default" />

<!-- 2. Update the Okta application with these values -->
<add key="okta:RedirectUri" value="http://localhost:60201/authorization-code/callback" />
<add key="okta:PostLogoutRedirectUri" value="http://localhost:60201/Home/Contact" />

Startup.cs:

using System;
using System.Configuration;
using System.IdentityModel.Tokens;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using IdentityModel.Client;
using Microsoft.IdentityModel.Protocols;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;

[assembly: OwinStartup(typeof(WebApplication_Frmwrk45.Startup))]
namespace WebApplication_Frmwrk45
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureAuth(app);
        }

        private void ConfigureAuth(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
            });

            var clientId = ConfigurationManager.AppSettings["okta:ClientId"].ToString();
            var clientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"].ToString();
            var issuer = ConfigurationManager.AppSettings["okta:Issuer"].ToString();
            var redirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"].ToString();

            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                ClientSecret = clientSecret,
                Authority = issuer,
                RedirectUri = redirectUri,
                ResponseType = "code id_token",
                UseTokenLifetime = false,
                Scope = "openid profile",
                PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"].ToString(),
                TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = "name"
                },
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    RedirectToIdentityProvider = context =>
                    {
                        if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                        {
                            var idToken = context.OwinContext.Authentication.User.Claims
                                .FirstOrDefault(c => c.Type == "id_token")?.Value;
                            context.ProtocolMessage.IdTokenHint = idToken;
                        }

                        return Task.FromResult(true);
                    },
                    AuthorizationCodeReceived = async context =>
                    {
                        // Exchange code for access and ID tokens
                        var tokenClient = new TokenClient(
                            issuer + "/v1/token", clientId, clientSecret, AuthenticationStyle.BasicAuthentication);
                        var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
                            context.ProtocolMessage.Code, redirectUri);

                        if (tokenResponse.IsError)
                        {
                            throw new Exception(tokenResponse.Error);
                        }

                        var userInfoClient = new UserInfoClient(issuer + "/v1/userinfo");
                        var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);

                        var identity = new ClaimsIdentity();
                        identity.AddClaims(userInfoResponse.Claims);

                        identity.AddClaim(new Claim("id_token", tokenResponse.IdentityToken));
                        identity.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
                        if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
                        {
                            identity.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
                        }

                        var nameClaim = new Claim(
                            ClaimTypes.Name,
                            userInfoResponse.Claims.FirstOrDefault(c => c.Type == "name")?.Value);
                        identity.AddClaim(nameClaim);


                        context.AuthenticationTicket = new AuthenticationTicket(
                            new ClaimsIdentity(identity.Claims, context.AuthenticationTicket.Identity.AuthenticationType),
                            context.AuthenticationTicket.Properties);
                    }
                }
            });
        }

    }
}

Requesting your help on this…


#2

Your configuration looks good to me so far. An IDX10803 error means that your code isn’t able to connect to Okta for some reason.

Can you open this link in a browser on your machine? https://dev-783652.oktapreview.com/oauth2/default/.well-known/openid-configuration

It loads fine for me (as expected). There may be a firewall or network issue on your side that’s blocking it. Let me know if you’re able to load that link in a normal browser.


#3

Hi Nate,
Thank You so much for your suggestions. I have updated Client Secret key in the portal.
I tried opening https://dev-783652.oktapreview.com/oauth2/default/.well-known/openid-configuration and i am getting JSON output but not OKTA login page

{
  "issuer":"https://dev-783652.oktapreview.com/oauth2/default",
  "authorization_endpoint":"https://dev-783652.oktapreview.com/oauth2/default/v1/authorize",
  "token_endpoint":"https://dev-783652.oktapreview.com/oauth2/default/v1/token",
  "userinfo_endpoint":"https://dev-783652.oktapreview.com/oauth2/default/v1/userinfo",
  "registration_endpoint":"https://dev-783652.oktapreview.com/oauth2/v1/clients",
  "jwks_uri":"https://dev-783652.oktapreview.com/oauth2/default/v1/keys",
  "response_types_supported":[
      "code",
      "id_token",
      "code id_token",
      "code token",
      "id_token token",
      "code id_token token"
  ],
  "response_modes_supported":[
      "query",
      "fragment",
      "form_post",
      "okta_post_message"
  ],
  "grant_types_supported":[
      "authorization_code",
      "implicit",
      "refresh_token",
      "password"
  ],
  "subject_types_supported":[
      "public"
  ],
  "id_token_signing_alg_values_supported":[
      "RS256"
  ],
  "scopes_supported":[
      "openid",
      "profile",
      "email",
      "address",
      "phone",
      "offline_access"
  ],
  "token_endpoint_auth_methods_supported":[
      "client_secret_basic",
      "client_secret_post",
      "client_secret_jwt",
      "none"
  ],
  "claims_supported":[
      "iss",
      "ver",
      "sub",
      "aud",
      "iat",
      "exp",
      "jti",
      "auth_time",
      "amr",
      "idp",
      "nonce",
      "name",
      "nickname",
      "preferred_username",
      "given_name",
      "middle_name",
      "family_name",
      "email",
      "email_verified",
      "profile",
      "zoneinfo",
      "locale",
      "address",
      "phone_number",
      "picture",
      "website",
      "gender",
      "birthdate",
      "updated_at",
      "at_hash",
      "c_hash"
  ],
  "code_challenge_methods_supported":[
      "S256"
  ],
  "introspection_endpoint":"https://dev-783652.oktapreview.com/oauth2/default/v1/introspect",
  "introspection_endpoint_auth_methods_supported":[
      "client_secret_basic",
      "client_secret_post",
      "client_secret_jwt",
      "none"
  ],
  "revocation_endpoint":"https://dev-783652.oktapreview.com/oauth2/default/v1/revoke",
  "revocation_endpoint_auth_methods_supported":[
      "client_secret_basic",
      "client_secret_post",
      "client_secret_jwt",
      "none"
  ],
  "end_session_endpoint":"https://dev-783652.oktapreview.com/oauth2/default/v1/logout",
  "request_parameter_supported":true,
  "request_object_signing_alg_values_supported":[
      "HS256",
      "HS384",
      "HS512"
  ]
}

#4

A JSON page is expected. That link points to the OpenID Connect discovery (metadata) document, which is JSON. :slight_smile:

It’s odd that your browser can open the page, but .NET is having a problem. What version of .NET Framework is your project targeting? Also, what operating system are you using?


#5

I am having the same problem. I am using VS2017 on windows 10 with 4.6.1 framework.

Any suggestions?

Thanks in advance.


#6

my issue is not yet fixed… not sure what is wrong because i am able to launch OKTA login page on my machine, with the code which my teammate shared with me. the only difference in the code is application setup keys are configured in my teammate’s sandbox account.


#7

@manjeet.soor and @shweta, can you try explicitly enabling TLS 1.2 in your code? See this Stack Overflow question: Force the use of TLS 1.2 in my ASP .NET 4.6 application?

Specifically, try putting

// Enable TLS 1.2
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

in Application_Start or Startup.cs. Let me know if that makes any difference.


#8

Thanks Nate.

That problem got solved, but now I am getting another error. Here is the link to forum question:

https://devforum.okta.com/t/unsupported-reposnse-type/1477

The error says “unsupported response type”.

Can you please let me know what I could be doing wrong?

Thanks

Manjeet


#9

Literally spent 8 hours after creating a fresh Web.API project trying to figure this out. I didn’t make any changes to my web.config and followed the Okta Widget + Web API (.net45) instructions to a tee (cors included).

This security protocol one liner did the job thanks so much!


#10

Glad you got it working! Sorry about the hassle. :confused: I’ll make sure this gets added to the official docs so there’s less guesswork next time!

Quick question @zlife - what version of .NET Framework is your Web API project targeting?


#11

Thank You so much Nate… it worked for me after adding the code suggested by you…

but the strange part is that i have created 2 sandbox accounts, for the first account it worked without giving me SSL/TLS error but for the other account i got this issue.Both sandbox accounts have the same configuration. i am not sure what was the issue.


#12

We are in the process of moving all Okta organizations over to TLS 1.2. All new orgs already use TLS 1.2, but older ones haven’t been switched over yet. One of your orgs might have been created prior to that new policy.

Eventually, all orgs will be TLS 1.2-only. Projects built on newer versions of the .NET Framework will work without changes, but you’ll need to add the ServicePointManager code to older projects. You should be able to add it to all of your projects now, regardless of whether the org is already using TLS 1.2.

Let me know if you have any questions!