Web site respons with IDX21323: RequireNonce is 'True' on high load

kycket · April 24, 2023, 5:45am

I’m having an issue with an old web application developed in # MVC .NET Framework 4.8
Using nugets to implement Okta sign in.
Okta.AspNet
Okta.AspNet.Abstractions
Configured according Okta sample samples-aspnet/Startup.cs at master · okta/samples-aspnet · GitHub

The issue I’m having is that it works just fine with a few user < 10 but when we are running test with multiple users > 50 the web application stats to respond with IDX21323: RequireNonce is ‘True’. OpenIdConnectProtocolValidationContext.Nonce was null and no user can sign in until Application pool is restared.

I have read and implemented Okta Help Center (Lightning) but without any luck.

Any ideas why it stops working on high load?

erik · April 24, 2023, 11:23pm

Hello,

When .NET does an /authorize it sets a nonce cookie for the client and on redirect back to .NET from the IdP (Okta), .NET will retrieve this cookie.
This is part of the .NET/Owin middleware and not controlled by the Okta SDK.

Sounds like it could potentially be a IIS setting, or perhaps a way you are load testing if this is scripted and .NET is setting the nonce cookie but that is not being returned on redirect back.

I suggest looking at the network requests from a test run and verify if the nonce cookie is being set in the browser/http client when redirected to Okta from .NET for the /authorize call.

Thank You,