I have .Net application which is trying to do silent login, without re-routing to okta’s login page. This was working till I upgraded my .Net framework to .Net Core 9.0. Post that I am getting the below error.
“Message contains error: ‘login_required’, error_description: ‘The client specified not to prompt, but the user is not logged in.’, error_uri: ‘error_uri is null’.”
That indicates to me that your application is sending prompt=none in its /authorize request. Are you currently using the /authn endpoint to receive a sessionToken and then sending that to /authorize?
Check out my response over here for the reason you are likely seeing this behavior: Generating OIDC Token using PKCE with MFA - #2 by andrea
Yes, but the /authorize API we are not calling manually, it is being handled by Middleware.
Okay, but does it use a sessionToken in the authorize call and do you require additional MFA or re-authentication for this specific application in its assigned Authentication Policy, beyond what is required in the Org-level Global Session Policy?
If so, that error is 100% expected and you’ll want to check out the post I mentioned above about how to resolve it.
No we don’t have any additional MFA configured. But since it is a .NET Core 9.0 application, it is not directly calling the authorize call with session token. Instead it is using PAR call, to get the request_uri, which is then sent to authorize call with client id.
oo, so does it work if you disable PAR? I know you can at least disable it in IdentityModel (which will otherwise use it be default):foss/identity-model-oidc-client/src/IdentityModel.OidcClient/OidcClientOptions.cs at main · DuendeSoftware/foss · GitHub
Thanks Andrea, this seems to be working. But will you be able to tell why the PAR is not working?
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.
I don’t have any particular ideas about why PAR is not working, especially not without reviewing this more in depth