OpenIdConnectProtocolException: Unsupported response type in ASP.NET

Hi, I am trying to integrate my application with Okta. my Startup.cs code gets executed but it doesn’t display the Okta login page. I am getting the unsupported_response_type error.

Server Error in ‘/’ Application.
unsupported_response_type
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolException: unsupported_response_type

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[OpenIdConnectProtocolException: unsupported_response_type]
Microsoft.Owin.Security.OpenIdConnect.d__1a.MoveNext() +5677
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +26
Microsoft.Owin.Security.OpenIdConnect.d__1a.MoveNext() +6419
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +61
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +571
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +61
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +255
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +61
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +182
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +61
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +638
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +61
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +182
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +61
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__2.MoveNext() +180
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +69
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +64
System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +483
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +132
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +163

Here is my web.config settings:

<!-- 1. Replace these values with your Okta configuration -->
<add key="okta:ClientId" value="0oaedp65eskxvzhhY0h7" />
<add key="okta:ClientSecret" value="<secretKey>" />
<add key="okta:Issuer" value="https://dev-874225.oktapreview.com/oauth2/default" />

<!-- 2. Update the Okta application with these values -->
<add key="okta:RedirectUri" value="http://localhost:59896/authorization-code/callback" />
<add key="okta:PostLogoutRedirectUri" value="http://localhost:59896/Account/PostLogout" />

And here is my startup.cs code:

    public void Configuration(IAppBuilder app)
    {
        // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888

        ConfigureAuth(app);
    }

    private void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        });

        var clientId = ConfigurationManager.AppSettings["okta:ClientId"].ToString();
        var clientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"].ToString();
        var issuer = ConfigurationManager.AppSettings["okta:Issuer"].ToString();
        var redirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"].ToString();

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            ClientSecret = clientSecret,
            Authority = issuer,
            RedirectUri = redirectUri,
            ResponseType = "id_token",
            UseTokenLifetime = false,
            Scope = "openid profile",
            PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"].ToString(),
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            },
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = context =>
                {
                    if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                    {
                        var idToken = context.OwinContext.Authentication.User.Claims.FirstOrDefault(c => c.Type == "id_token")?.Value;
                        context.ProtocolMessage.IdTokenHint = idToken;
                    }

                    return Task.FromResult(true);
                },
                AuthorizationCodeReceived = async context =>
                {
                    // Exchange code for access and ID tokens
                    var tokenClient = new TokenClient(
                        issuer + "/v1/token", clientId, clientSecret);
                    var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(context.ProtocolMessage.Code, redirectUri);

                    if (tokenResponse.IsError)
                    {
                        throw new Exception(tokenResponse.Error);
                    }
                    
                    var userInfoClient = new UserInfoClient(issuer + "/v1/userinfo");
                    var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);

                    var identity = new ClaimsIdentity();
                    identity.AddClaims(userInfoResponse.Claims);

                    identity.AddClaim(new Claim("id_token", tokenResponse.IdentityToken));
                    identity.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
                    if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
                    {
                        identity.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
                    }

                    var nameClaim = new Claim(ClaimTypes.Name, userInfoResponse.Claims.FirstOrDefault(c => c.Type == "name")?.Value);
                    identity.AddClaim(nameClaim);


                    context.AuthenticationTicket = new AuthenticationTicket(
                        new ClaimsIdentity(identity.Claims, context.AuthenticationTicket.Identity.AuthenticationType),
                        context.AuthenticationTicket.Properties);
                }
            }
        });
    }
}

You’ll get this error if you don’t have both Authorization Code and Implicit - Allow ID Token turned on in the Application configuration in Okta. Your Application should look like this:

This is due to a limitation in the OWIN middleware. I’m hoping to work around this limitation in the future. For more info, see this Github discussion: https://github.com/oktadeveloper/okta-aspnet-mvc-example/issues/18

1 Like

Thanks, it did work for me.

2 Likes