I have .Net application which is trying to do silent login, without re-routing to okta’s login page. This was working till I upgraded my .Net framework to .Net Core 9.0. Post that I am getting the below error.
“Message contains error: ‘login_required’, error_description: ‘The client specified not to prompt, but the user is not logged in.’, error_uri: ‘error_uri is null’.”
That indicates to me that your application is sending prompt=none in its /authorize request. Are you currently using the /authn endpoint to receive a sessionToken and then sending that to /authorize?
Check out my response over here for the reason you are likely seeing this behavior: Generating OIDC Token using PKCE with MFA - #2 by andrea
Yes, but the /authorize API we are not calling manually, it is being handled by Middleware.
Okay, but does it use a sessionToken in the authorize call and do you require additional MFA or re-authentication for this specific application in its assigned Authentication Policy, beyond what is required in the Org-level Global Session Policy?
If so, that error is 100% expected and you’ll want to check out the post I mentioned above about how to resolve it.
No we don’t have any additional MFA configured. But since it is a .NET Core 9.0 application, it is not directly calling the authorize call with session token. Instead it is using PAR call, to get the request_uri, which is then sent to authorize call with client id.
oo, so does it work if you disable PAR? I know you can at least disable it in IdentityModel (which will otherwise use it be default):foss/identity-model-oidc-client/src/IdentityModel.OidcClient/OidcClientOptions.cs at main · DuendeSoftware/foss · GitHub
Thanks Andrea, this seems to be working. But will you be able to tell why the PAR is not working?
I don’t have any particular ideas about why PAR is not working, especially not without reviewing this more in depth