#id_token stripped off of MVC 5 requests

I have an ASP.Net MVC 5 application where I have successfully gotten Okta to work with OpenIdConnect in an Active AuthenticationMode, but now I am trying to use Passive AuthenticationMode with a widget. At first it seems like it is working, where I get all the way through MFA and am being redirected back to my application, but this redirect, which contains #id_token, is not completing the authentication process. I can see that something in the MVC pipeline is stripping off #id_token. I have used MapSpaFallbackRoute to prevent this in MVC Core applications, but this is not a Core application. What can I do in my original .Net MVC 5 application to prevent the #id_token from being stripped off of the redirect request? Thank you.

How are you making this logout redirect? Also, what exact versions or .NET and MVC are you using?

It turns out I was going down the wrong path. I was not adding the sessionToken to the AuthenticationProperties from the OktaSignIn call on the client. Now, everything is working with Passive authentication.

    public ActionResult Login(FormCollection form)
        if (!HttpContext.User.Identity.IsAuthenticated)
            var properties = new AuthenticationProperties();
            properties.Dictionary.Add("sessionToken", form.Get("sessionToken"));
            properties.RedirectUri = "/Home/About";

            HttpContext.GetOwinContext().Authentication.Challenge(properties, OpenIdConnectAuthenticationDefaults.AuthenticationType);

            return new HttpUnauthorizedResult();

        return RedirectToAction("Index", "Home");


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.