I’m implementing Okta authentication in an ASP.NET Web Forms application (not MVC)
using Microsoft.Owin.Security.OpenIdConnect.
Issue:
- SecurityTokenValidated fires successfully ✓
- User is authenticated with all claims ✓
- But then AuthenticationFailed fires with nonce validation error ✗
- Authentication cookie is never set ✗
Environment:
- ASP.NET Web Forms (.aspx pages)
- IIS Express / localhost
- Microsoft.Owin.Security.OpenIdConnect
- Microsoft.Owin.Security.Cookies
What I’ve tried:
- Setting RequireNonce = false in ProtocolValidator - doesn’t work
- Using SameSiteCookieManager - doesn’t work
- Setting SignInAsAuthenticationType - doesn’t work
- Various cookie settings - none work
Logs show:
- AuthorizationCodeReceived ✓
- SecurityTokenValidated ✓ (user authenticated, all claims present)
- AuthenticationFailed ✗ (IDX21323: Nonce validation error)
Question:
Why does the nonce cookie not persist between the redirect to Okta and the callback?
Is there a known issue with Web Forms and OWIN cookie persistence on localhost?
Will this work when deployed to a real IIS server, or is this a fundamental issue?
What is the work around in local host?
Thanks
kshah