.NET 5 Blazor Server OKTA Authentication showing HTTP Error 400

Questions
1

Hello,

Using ASP.NET Core (.NET 5) Blazor Server with OKTA. OKTA log page has been prompted. I am getting below error messge on submitting OKTA uid/pwd

HTTP Error 400. The size of the request headers is too long.

My middleware is as like below, using an OpenId Connect.

services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddOpenIdConnect(options =>
{
options.RemoteAuthenticationTimeout = TimeSpan.FromMinutes(30);
options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = configuration[“Okta:Domain”] + “/oauth2/default”;
options.RequireHttpsMetadata = true;
options.ClientId = configuration[“Okta:ClientId”];
options.ClientSecret = configuration[“Okta:ClientSecret”];
options.ResponseMode = OpenIdConnectResponseMode.FormPost;
options.ResponseType = OpenIdConnectResponseType.Code;
options.Scope.Add(“offline_access”);
options.UseTokenLifetime = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.AccessDeniedPath = “/Public/AccessDenied”;
options.Scope.Add(“openid”);
options.Scope.Add(“profile”);
options.Scope.Add(“email”);

                              // Describe how to map the user info we receive to user claims
                              options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub", "string");
                              options.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "given_name", "string");
                              options.ClaimActions.MapJsonKey(ClaimTypes.Name, "given_name", "string");
                              options.ClaimActions.MapJsonKey("LastName", "lastname", "string");
                              options.ClaimActions.MapJsonKey("FirstName", "firstname", "string");
                              options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email", "string");
                              options.ClaimActions.MapJsonKey("Groups", "Groups", "string");
                              options.ClaimActions.MapJsonKey("membership_roles", "membership_roles", "string");

                              options.SaveTokens = true;
                              options.NonceCookie.SameSite = SameSiteMode.Unspecified;
                              options.CorrelationCookie.SameSite = SameSiteMode.Unspecified;

                              options.TokenValidationParameters = new TokenValidationParameters
                              {
                                     NameClaimType = "name",
                                     RoleClaimType = "groups",
                                     RequireSignedTokens = true,
                                     ValidateIssuer = false
                              };
                       })
                       .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, displayName: $"EPDOne_{GlobalVariables.LocalEnv.EnvironmentName}",
                    options =>
                    {

                          options.Cookie.Name = $"EPDOne_{ GlobalVariables.LocalEnv.EnvironmentName}";
                          options.Cookie.HttpOnly = false;
                           options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
                          options.Cookie.IsEssential = true;


                          options.Events = new CookieAuthenticationEvents
                          {
                                 // this event is fired everytime the cookie has been validated by the cookie middleware,
                                 // so basically during every authenticated request
                                 // the decryption of the cookie has already happened so we have access to the user claims
                                 // and cookie properties - expiration, etc..
                                 OnValidatePrincipal = context =>
                                 {
                                        // since our cookie lifetime is based on the access token one,
                                        // check if we're more than halfway of the cookie lifetime

                                        var now = DateTimeOffset.UtcNow;
                                        TimeSpan timeElapsed = now.Subtract(DateTime.Now.AddDays(1));
                                        TimeSpan timeRemaining = now.Subtract(DateTime.Now.AddDays(2));
                                        if (context is not null)
                                        {
                                               if (context.Properties is not null && context.Properties.IssuedUtc is not null)
                                               {
                                                      timeElapsed = now.Subtract(context.Properties.IssuedUtc.Value);
                                               }
                                               else
                                               {
                                                      context.ShouldRenew = true;
                                               }
                                               if (context.Properties is not null && context.Properties.ExpiresUtc is not null)
                                               {
                                                      timeRemaining = context.Properties.ExpiresUtc.Value.Subtract(now);
                                               }
                                               else
                                               {
                                                      context.ShouldRenew = true;
                                               }
                                        }


                                        if (timeElapsed > timeRemaining || context?.ShouldRenew == true)
                                        {
                                               context.ShouldRenew = true;

                                               var identity = (ClaimsIdentity)context?.Principal?.Identity;
                                               if (identity is not null && identity.IsAuthenticated)
                                               {
                                                      string CurrentBaseAddress = CurrentURL(context.HttpContext);
                                                      string returnUrl = "";
                                                      if (string.IsNullOrEmpty(CurrentBaseAddress) == false)
                                                      {
                                                             returnUrl = "?returnUrl=" + CurrentBaseAddress;
                                                      }
                                                      context.Response.Redirect(GlobalVariables.OKTACallBackURI + $"/refresh{returnUrl}");
                                               }
                                        }

                                        return Task.CompletedTask;
                                 }
                          };
                    });


                       services.AddRazorPages(options =>
                       {
                              options.Conventions.AuthorizeFolder("/");
                              //options.Conventions.AllowAnonymousToFolder("/Public");
                       }
                       );
2

I later noticed inside my .NET Core Startup.cs file below code.

app.UseAuthorization();

app.UseAuthorization();

The correct lines should be

app.UseAuthentication();
app.UseAuthorization();

So actually Authentication middleware itself not enabled and in hurry I was using 2 lines of enabling Authorization itself. After the mentioned correction, it works. Sorry to anyone who spent time on this. I am closing this query.

3

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.