Closed mwanchap closed 5 years ago
Hi @mwanchap, Microsoft.IdentityModel.Protocol.Extensions package depends on IdentityModel 4.x that is no longer supported.
I'm guessing that you are using OWIN/Katana 3.x (Microsoft.Owin.Security.OpenIdConnect). If so, the issue might be that cookies set by OWIN are overwritten.
Please refer to the following links for more information: https://github.com/aspnet/Security/issues/390 https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues#workarounds
Thanks @GeoK for clarifying. I've already been to those links during earlier research (this one was helpful too) and implemented all the suggested fixes, unfortunately we still get the same issue occurring. I had resorted to digging around in package source code hoping to find a clue but that didn't get me very far, as you can probably tell.
If it helps clarify, here's the solutions mentioned elsewhere that we've implemented:
Any alternatives, ideas, suggestions or even vague hints would be very appreciated :)
I'm sorry to see that you spent a lot of time trying to resolve this issue.
I'd try one of workarounds that Chris Ross, who maintains OWIN/Katana, has proposed. An alternative would be to migrate to ASP.NET Core.
Okay, thanks for your help
Capturing a Fiddler trace is one of the better ways to diagnose this. Feel free to share the trace with me if you want a second opinion. Make sure to use the SSL decryption option in Fiddler.
@mwanchap closing for now. Please reopen if you need additional help.
Thanks Brent. In the end, the only solution that worked was to simply set RequireNonce=false, to prevent it from being checked at all. I hate disabling security features but unfortunately we weren't left with any other options.
We have a project that uses the Microsoft.IdentityModel.Protocol.Extensions nuget package (it's a dependency of another package) and are running into some tricky issues with it, so I'm trying to investigate what could be causing the problem (it's the IDX10311 "validationContext.Nonce is null" exception) by tracking down the source code used to build the package.
Firstly, I'm assuming this is the correct repo for that nuget package. If I should be looking elsewhere, please let me know and disregard the rest of this issue.
I'm looking at the disassembled source in ILSpy, for OpenIdConnectProtocolValidator.ValidateNonce, and I've opened the assembly Microsoft.IdentityModel.Protocol.Extensions.dll (version 1.0.4.403061554, the latest version of the package), and the signature for the method throwing the exception is:
protected virtual void ValidateNonce(JwtSecurityToken jwt, OpenIdConnectProtocolValidationContext validationContext)
However, the last commit in this repo containing that method signature is this one, at which point it was changed, way back in 2015. The nuget package says it was last updated in 2017, so I'm a bit confused - there were a lot of bugfixes and alterations to the code between 2015-2017, but it doesn't look like they've been included in the package.
Why does the nuget package seem to match a version of the code from way back in 2015, rather than including new code and bugfixes etc since then?