search

AzureAD / azure-activedirectory-identitymodel-extensions-for-dotnet

IdentityModel extensions for .Net
MIT License
1.05k stars 397 forks source link

Breaking changes introduced from Microsoft.IdentityModel.JsonWebTokens 7.3.1 to 7.4.0 #2514

Closed chris-briddock closed 6 months ago

chris-briddock commented 6 months ago

I am using version 7.3.1 in production and dependabot has upgraded from 7.3.1 to 7.4.0 but there is breaking changes.

Please could you take a look at this: https://github.com/chris-briddock/ChristopherBriddock.Identity/pull/62 https://dev.azure.com/chris1997/ChristopherBriddock.Identity/_build/results?buildId=798&view=logs&j=7e6a3fb7-dbfe-5169-4db8-92b72295ba6c&t=45683e7c-5c24-5fa1-4844-9f376a3fcc8a&l=702

Expected behavior All tests pass.

Actual behavior Tests that require this library fail.

christophwille commented 6 months ago

I don't know if this is the same thing, but we also see a breaking change from 7.3.1 to 7.4.0:

System.InvalidOperationException: Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
   at Microsoft.AspNetCore.Http.HttpResults.ChallengeHttpResult.ExecuteAsync(HttpContext httpContext)
   at Microsoft.AspNetCore.Http.RequestDelegateFactory.ExecuteResultWriteResponse(IResult result, HttpContext httpContext)

This code works fine with 7.3.1, fails on 7.4.0 with the above message:

            app.MapGet("/login", () =>
            {
                // Frontend URL to go to after the callback has finished
                return Results.Challenge(new AuthenticationProperties { RedirectUri = "/authdone" });
            })
            .WithName("login")
            .WithOpenApi();
yborektsioglou commented 6 months ago

We also see breaking change when updating from 7.3.1 to 7.4.0

     "exception": {
         "Type": "Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException",
         "TargetSite": "Microsoft.IdentityModel.JsonWebTokens.JsonWebToken ValidateSignature(Microsoft.IdentityModel.JsonWebTokens.JsonWebToken, Microsoft.IdentityModel.Tokens.TokenValidationParameters, Microsoft.IdentityModel.Tokens.BaseConfiguration)",
         "Message": "IDX10500: Signature validation failed. No security keys were provided to validate the signature.",
         "Data": {},
         "Source": "Microsoft.IdentityModel.JsonWebTokens",
         "HResult": -2146233088,
         "StackTrace": "   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)\n   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)\n   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)"
     }
rlf commented 6 months ago

It seems the OpenIdConnectConfigurationSerializer broke, possibly a "double token read" or something. The first item is read correctly, just the 2nd one that fails.

The following test works on 7.3.1, but fails on 7.4.0.

    [Test]
    public void OpenIdConnectConfiguration_FromJson_Should_Work()
    {
        var json = @"{""issuer"": ""http://localhost"",""jwks_uri"": ""http://localhost""}";
        var config = OpenIdConnectConfiguration.Create(json);
        config.JwksUri.Should().Be("http://localhost");
    }
rmmason commented 6 months ago

We have the same issue. Specifically we are seeing the "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid." exception after the upgrade.

Is there a workaround?

brentschmaltz commented 6 months ago

@chris-briddock @rmmason @rlf @yborektsioglou looking into it.

@rlf thanks for the repo.

brentschmaltz commented 6 months ago

@rlf i added the test to this branch and it passed on windows VM.

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/b9fb18379a62dfcc673a52414a6d0a7ba1f6aab2/test/Microsoft.IdentityModel.Protocols.OpenIdConnect.Tests/OpenIdConnectSerializationTests.cs#L17

brentschmaltz commented 6 months ago

@yborektsioglou it looks like we are not obtaining the security keys. Can you share the discovery endpoint you are hitting?

brentschmaltz commented 6 months ago

@rmmason @christophwille this error doesn't seem related to security keys, but redirecting to the OIDC authorization endpoint. There were some changes to OpenIdConnectMessage that may be the culprit.

I will look there.

brentschmaltz commented 6 months ago

@rmmason do you have a stack trace?

brentschmaltz commented 6 months ago

@christophwille can you provide us with a little bit of additional source code so i can run the repo? Thank.

christophwille commented 6 months ago

@christophwille can you provide us with a little bit of additional source code so i can run the repo? Thank.

That is about as much as I can show... underlying (hidden by another level) is actually Salesforce authN which has a specific issue in that the defaults for Scope and ResponseType need to be set as shown below:

            services.AddAuthentication(opt =>
            {
                opt.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                opt.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
            {
                options.SlidingExpiration = true;
                options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
            })
            .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, opt =>
            {
                opt.Authority = "our-authority";
                opt.ClientId = "our-clientid";
                opt.ResponseType = OpenIdConnectResponseType.Code; // IdToken not supported in our case

                opt.Scope.Clear(); // ctor adds 'profile' too, but that is not supported by our case
                opt.Scope.Add("openid");
                opt.CallbackPath = "/api/login/callback";
rmmason commented 6 months ago

Hi @brentschmaltz,

Thanks for looking in to this for us.

Stack trace is as follows:

at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.d19.MoveNext() at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.d18.MoveNext() at Microsoft.AspNetCore.Authentication.AuthenticationHandler1.<ChallengeAsync>d__60.MoveNext() in Microsoft.AspNetCore.Authentication\AuthenticationHandler.cs:line 187 at Microsoft.AspNetCore.Authentication.AuthenticationService.<ChallengeAsync>d__15.MoveNext() at Microsoft.AspNetCore.Mvc.ChallengeResult.<ExecuteResultAsync>d__14.MoveNext() in Microsoft.AspNetCore.Mvc\ChallengeResult.cs:line 86 at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<<InvokeResultAsync>g__Logged|22_0>d.MoveNext() in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 567 at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<<InvokeNextResultFilterAsync>g__Awaited|30_0>d2.MoveNext() in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 1292 at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResultExecutedContextSealed context) in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 1362 at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.ResultNext[TFilter,TFilterAsync](State& next, Scope& scope, Object& state, Boolean& isCompleted) in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 1254 at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeResultFilters() in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 1104

This is actually something one of my colleagues is working on. I'm a bit tied up at the moment but I'll attempt to recreate a repro project as soon as I get a moment.

yborektsioglou commented 6 months ago

@yborektsioglou it looks like we are not obtaining the security keys. Can you share the discovery endpoint you are hitting?

Hi @brentschmaltz,

Thanks for looking into this. We're hitting the token endpoint. I'm a bit tied up with other stuff at the moment but I see if I can provide more info

AndersAbel commented 6 months ago

I've tested this with Duende IdentityServer. I can confirm that upgrading a simple MVC code flow client to use Wilson 7.4.0 breaks OpenID Connect login.

InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set.
System.Net.Http.HttpClient.PrepareRequestMessage(HttpRequestMessage request)

AuthenticationFailureException: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()

Stack Query Cookies Headers Routing
InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set.
System.Net.Http.HttpClient.PrepareRequestMessage(HttpRequestMessage request)
System.Net.Http.HttpClient.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

Show raw exception details
AuthenticationFailureException: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

I used a debugger to check the values and it passes null for the token endpoint address. This indicates that the discovery document was not properly read.

Repro is available at https://github.com/DuendeSoftware/IdentityServer/tree/anders/wilson-7.4.0. Run hosts\main project and then run clients\MvcCode on the same time. Try clicking "Secure" in the client app and login (alice/alice) to make it fail.

dahovey commented 6 months ago

I encountered this upgrading to ASP.NET Core 8. Disappointing bug. It appears the cause is the OpenIdConnectConfigurationSerializer here is too eagerly advancing to the next JSON token after reading a value in the document body. So for example with document:

{
  "issuer": "https://localhost",
  "authorization_endpoint": "https://localhost/connect/authorize",
  ...
}

After the issuer value is read, the current token is the "authorization_endpoint" property when it shouldn't be. The while loop advances to the next token which becomes the authorization endpoint value, not the property name.

Please add more thorough tests!...Lost a full day tracking down NuGet upgrade path and root cause.

brentschmaltz commented 6 months ago

@dahovey we need to advance to the next token, which should be a propertyname. One the testing front, we added tests for Google, AADv1 and V2 as well as numerous tests for json objects in the middle.

see: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/3f504620646bff24e22a41ee636baecb47b6937b/test/Microsoft.IdentityModel.Protocols.OpenIdConnect.Tests/OpenIdConnectSerializationTests.cs#L46

brentschmaltz commented 6 months ago

@AndersAbel long time, thanks for the repo.

brentschmaltz commented 6 months ago

@dahovey can tell us the version of all IdentityModel assemblies you are using?

dahovey commented 6 months ago

@brentschmaltz Actually 7.3.1 was resolved within the running container. My IDE was showing 7.4.0 which caused me some confusion. I was not explicitly referencing Microsoft.IdentityModel.Protocols.OpenIdConnect but it was referenced by OpenIdDict, Microsoft.Graph and Microsoft.AspNetCore.Authentication.OpenIdConnect`

I added an explicit reference to version 7.4.0 and the problem went away. If it helps anyone else, adding below may help:

<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.4.0" />
dahovey commented 6 months ago

@brentschmaltz Thanks for your assistance

mynkow commented 6 months ago

you need to unlist v7.4.0. It causes a lot of issues. Then bump the major version and publish again.

gmrozikmedius commented 6 months ago

We also see a problem with "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid." after upgrading to 7.4.0 from 7.3.1

jennyf19 commented 6 months ago

I've tested this with Duende IdentityServer. I can confirm that upgrading a simple MVC code flow client to use Wilson 7.4.0 breaks OpenID Connect login.

InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set.
System.Net.Http.HttpClient.PrepareRequestMessage(HttpRequestMessage request)

AuthenticationFailureException: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()

Stack Query Cookies Headers Routing
InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set.
System.Net.Http.HttpClient.PrepareRequestMessage(HttpRequestMessage request)
System.Net.Http.HttpClient.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

Show raw exception details
AuthenticationFailureException: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

I used a debugger to check the values and it passes null for the token endpoint address. This indicates that the discovery document was not properly read.

Repro is available at https://github.com/DuendeSoftware/IdentityServer/tree/anders/wilson-7.4.0. Run hosts\main project and then run clients\MvcCode on the same time. Try clicking "Secure" in the client app and login (alice/alice) to make it fail.

@AndersAbel

Can you share the transitive dependencies? You would need to run this command;

dotnet restore [yourproject].csproj dotnet list [yourproject].csproj package --include-transitive

kevinchalet commented 6 months ago

It's indeed a packages mismatch issue: https://github.com/openiddict/openiddict-core/issues/2033#issuecomment-1992427787.

The issue was introduced by https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/051d164e3c025a0d7276f1d6acf38c902a4893fc: you changed the internal implementation of a static helper in Microsoft.IdentityModel.Tokens and updated OpenIdConnectConfigurationSerializer in Microsoft.IdentityModel.Protocols.OpenIdConnect to use the new logic.

The thing is, if users only update Microsoft.IdentityModel.Tokens to 7.4.0 (or any package that depends on it, like Microsoft.IdentityModel.JsonWebTokens for instance) without updating Microsoft.IdentityModel.Protocols.OpenIdConnect too, OpenIdConnectConfigurationSerializer will use the new version of the serializer and will be unable to deserialize the configuration properly.

It's not the first time we're seeing bugs caused by changes in your internal helpers and it's getting a bit ridiculous at this point. You should really consider embedding your helpers in each assembly to avoid such issues, as I had suggested last time: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2059#issuecomment-1563168001

m-wild commented 6 months ago

Same issue here

Seems pretty clear the issue is this 

   > Microsoft.IdentityModel.Protocols.OpenIdConnect        7.0.0        7.0.0
   > System.IdentityModel.Tokens.Jwt                        7.4.0        7.4.0

Updating Microsoft.IdentityModel.Protocols.OpenIdConnect to 7.4.0 fixes the issue.

Why is the document deserialized manually? surely this can't be any more secure? And bugs like this just highlight why you shouldn't do manual deserialization.

(I've removed all the non-Microsoft, non-System packages from the output...)

Project '<redacted>' has the following package references
   [net7.0]:
   Top-level Package                                        Requested    Resolved
   > Microsoft.AspNetCore.Authentication.Facebook           7.0.11       7.0.11
   > Microsoft.AspNetCore.Authentication.Google             7.0.11       7.0.11
   > Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation      7.0.11       7.0.11
   > Microsoft.Data.SqlClient                               5.1.5        5.1.5
   > Microsoft.EntityFrameworkCore                          7.0.16       7.0.16
   > Microsoft.EntityFrameworkCore.SqlServer                7.0.16       7.0.16
   > Microsoft.Extensions.Caching.SqlServer                 7.0.11       7.0.11
   > Microsoft.Extensions.Hosting.WindowsServices           7.0.1        7.0.1
   > Microsoft.Identity.Web                                 2.13.4       2.13.4
   > Microsoft.IdentityModel.Protocols.OpenIdConnect        7.0.0        7.0.0
   > System.IdentityModel.Tokens.Jwt                        7.4.0        7.4.0

   Transitive Package                                                                   Resolved
   > IdentityModel                                                                      6.1.0
   > Microsoft.AspNetCore.Authentication.JwtBearer                                      7.0.16
   > Microsoft.AspNetCore.Authentication.OpenIdConnect                                  7.0.1
   > Microsoft.AspNetCore.Cryptography.Internal                                         7.0.10
   > Microsoft.AspNetCore.DataProtection                                                7.0.10
   > Microsoft.AspNetCore.DataProtection.Abstractions                                   7.0.10
   > Microsoft.AspNetCore.JsonPatch                                                     7.0.16
   > Microsoft.AspNetCore.Mvc.NewtonsoftJson                                            7.0.16
   > Microsoft.AspNetCore.Mvc.Razor.Extensions                                          6.0.0
   > Microsoft.AspNetCore.Razor.Language                                                6.0.0
   > Microsoft.Bcl.AsyncInterfaces                                                      8.0.0
   > Microsoft.CodeAnalysis.Analyzers                                                   3.3.2
   > Microsoft.CodeAnalysis.Common                                                      4.0.0
   > Microsoft.CodeAnalysis.CSharp                                                      4.0.0
   > Microsoft.CodeAnalysis.Razor                                                       6.0.0
   > Microsoft.CSharp                                                                   4.7.0
   > Microsoft.Data.SqlClient.SNI.runtime                                               5.1.1
   > Microsoft.EntityFrameworkCore.Abstractions                                         7.0.16
   > Microsoft.EntityFrameworkCore.Analyzers                                            7.0.16
   > Microsoft.EntityFrameworkCore.Relational                                           7.0.16
   > Microsoft.Extensions.ApiDescription.Server                                         6.0.5
   > Microsoft.Extensions.Caching.Abstractions                                          8.0.0
   > Microsoft.Extensions.Caching.Memory                                                8.0.0
   > Microsoft.Extensions.Configuration                                                 8.0.0
   > Microsoft.Extensions.Configuration.Abstractions                                    8.0.0
   > Microsoft.Extensions.Configuration.Binder                                          8.0.0
   > Microsoft.Extensions.Configuration.CommandLine                                     7.0.0
   > Microsoft.Extensions.Configuration.EnvironmentVariables                            8.0.0
   > Microsoft.Extensions.Configuration.FileExtensions                                  7.0.0
   > Microsoft.Extensions.Configuration.Json                                            7.0.0
   > Microsoft.Extensions.Configuration.UserSecrets                                     7.0.0
   > Microsoft.Extensions.DependencyInjection                                           8.0.0
   > Microsoft.Extensions.DependencyInjection.Abstractions                              8.0.0
   > Microsoft.Extensions.DependencyModel                                               8.0.0
   > Microsoft.Extensions.Diagnostics.Abstractions                                      8.0.0
   > Microsoft.Extensions.Diagnostics.HealthChecks                                      8.0.0
   > Microsoft.Extensions.Diagnostics.HealthChecks.Abstractions                         8.0.0
   > Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore                  6.0.8
   > Microsoft.Extensions.FileProviders.Abstractions                                    8.0.0
   > Microsoft.Extensions.FileProviders.Physical                                        7.0.0
   > Microsoft.Extensions.FileSystemGlobbing                                            7.0.0
   > Microsoft.Extensions.Hosting                                                       7.0.1
   > Microsoft.Extensions.Hosting.Abstractions                                          8.0.0
   > Microsoft.Extensions.Http                                                          8.0.0
   > Microsoft.Extensions.Logging                                                       8.0.0
   > Microsoft.Extensions.Logging.Abstractions                                          8.0.0
   > Microsoft.Extensions.Logging.Configuration                                         8.0.0
   > Microsoft.Extensions.Logging.Console                                               7.0.0
   > Microsoft.Extensions.Logging.Debug                                                 7.0.0
   > Microsoft.Extensions.Logging.EventLog                                              7.0.0
   > Microsoft.Extensions.Logging.EventSource                                           7.0.0
   > Microsoft.Extensions.Options                                                       8.0.2
   > Microsoft.Extensions.Options.ConfigurationExtensions                               8.0.0
   > Microsoft.Extensions.Primitives                                                    8.0.0
   > Microsoft.Identity.Abstractions                                                    4.1.0
   > Microsoft.Identity.Client                                                          4.56.0
   > Microsoft.Identity.Client.Extensions.Msal                                          4.56.0
   > Microsoft.Identity.Web.Certificate                                                 2.13.4
   > Microsoft.Identity.Web.Certificateless                                             2.13.4
   > Microsoft.Identity.Web.Diagnostics                                                 2.13.4
   > Microsoft.Identity.Web.TokenAcquisition                                            2.13.4
   > Microsoft.Identity.Web.TokenCache                                                  2.13.4
   > Microsoft.IdentityModel.Abstractions                                               7.4.0
   > Microsoft.IdentityModel.JsonWebTokens                                              7.4.0
   > Microsoft.IdentityModel.Logging                                                    7.4.0
   > Microsoft.IdentityModel.LoggingExtensions                                          6.32.3
   > Microsoft.IdentityModel.Protocols                                                  7.0.0
   > Microsoft.IdentityModel.Tokens                                                     7.4.0
   > Microsoft.IdentityModel.Validators                                                 6.32.3
   > Microsoft.NETCore.Platforms                                                        1.1.0
   > Microsoft.NETCore.Targets                                                          1.1.0
   > Microsoft.OpenApi                                                                  1.2.3
   > Microsoft.SqlServer.Server                                                         1.0.0
   > Microsoft.Win32.Primitives                                                         4.3.0
   > Microsoft.Win32.SystemEvents                                                       6.0.0
   > NETStandard.Library                                                                1.6.1
   > runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl           4.3.0
   > runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl          4.3.0
   > runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl          4.3.0
   > runtime.native.System                                                              4.3.0
   > runtime.native.System.IO.Compression                                               4.3.0
   > runtime.native.System.Net.Http                                                     4.3.0
   > runtime.native.System.Security.Cryptography.Apple                                  4.3.0
   > runtime.native.System.Security.Cryptography.OpenSsl                                4.3.0
   > runtime.opensuse.13.2-x64.runtime.native.System.Security.Cryptography.OpenSsl      4.3.0
   > runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl      4.3.0
   > runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.Apple            4.3.0
   > runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl          4.3.0
   > runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl             4.3.0
   > runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl       4.3.0
   > runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl       4.3.0
   > runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl       4.3.0
   > System.AppContext                                                                  4.3.0
   > System.Buffers                                                                     4.3.0
   > System.Collections                                                                 4.3.0
   > System.Collections.Concurrent                                                      4.3.0
   > System.Collections.Immutable                                                       5.0.0
   > System.Configuration.ConfigurationManager                                          6.0.1
   > System.Console                                                                     4.3.0
   > System.Data.Common                                                                 4.3.0
   > System.Data.HashFunction.Core                                                      2.0.0
   > System.Data.HashFunction.Interfaces                                                2.0.0
   > System.Data.HashFunction.xxHash                                                    2.0.0
   > System.Diagnostics.Debug                                                           4.3.0
   > System.Diagnostics.DiagnosticSource                                                8.0.0
   > System.Diagnostics.EventLog                                                        7.0.0
   > System.Diagnostics.Tools                                                           4.3.0
   > System.Diagnostics.Tracing                                                         4.3.0
   > System.Drawing.Common                                                              6.0.0
   > System.Formats.Asn1                                                                7.0.0
   > System.Globalization                                                               4.3.0
   > System.Globalization.Calendars                                                     4.3.0
   > System.Globalization.Extensions                                                    4.3.0
   > System.IO                                                                          4.3.0
   > System.IO.Compression                                                              4.3.0
   > System.IO.Compression.ZipFile                                                      4.3.0
   > System.IO.FileSystem                                                               4.3.0
   > System.IO.FileSystem.AccessControl                                                 5.0.0
   > System.IO.FileSystem.Primitives                                                    4.3.0
   > System.Linq                                                                        4.3.0
   > System.Linq.Expressions                                                            4.3.0
   > System.Memory                                                                      4.5.4
   > System.Memory.Data                                                                 1.0.2
   > System.Net.Http                                                                    4.3.0
   > System.Net.Primitives                                                              4.3.0
   > System.Net.Sockets                                                                 4.3.0
   > System.Numerics.Vectors                                                            4.5.0
   > System.ObjectModel                                                                 4.3.0
   > System.Reflection                                                                  4.3.0
   > System.Reflection.Emit                                                             4.3.0
   > System.Reflection.Emit.ILGeneration                                                4.3.0
   > System.Reflection.Emit.Lightweight                                                 4.3.0
   > System.Reflection.Extensions                                                       4.3.0
   > System.Reflection.Metadata                                                         5.0.0
   > System.Reflection.Primitives                                                       4.3.0
   > System.Resources.ResourceManager                                                   4.3.0
   > System.Runtime                                                                     4.3.0
   > System.Runtime.Caching                                                             6.0.0
   > System.Runtime.CompilerServices.Unsafe                                             6.0.0
   > System.Runtime.Extensions                                                          4.3.0
   > System.Runtime.Handles                                                             4.3.0
   > System.Runtime.InteropServices                                                     4.3.0
   > System.Runtime.InteropServices.RuntimeInformation                                  4.3.0
   > System.Runtime.Numerics                                                            4.3.0
   > System.Security.AccessControl                                                      6.0.0
   > System.Security.Cryptography.Algorithms                                            4.3.0
   > System.Security.Cryptography.Cng                                                   5.0.0
   > System.Security.Cryptography.Csp                                                   4.3.0
   > System.Security.Cryptography.Encoding                                              4.3.0
   > System.Security.Cryptography.OpenSsl                                               4.3.0
   > System.Security.Cryptography.Pkcs                                                  7.0.2
   > System.Security.Cryptography.Primitives                                            4.3.0
   > System.Security.Cryptography.ProtectedData                                         6.0.0
   > System.Security.Cryptography.X509Certificates                                      4.3.0
   > System.Security.Cryptography.Xml                                                   7.0.1
   > System.Security.Permissions                                                        6.0.0
   > System.Security.Principal.Windows                                                  5.0.0
   > System.ServiceProcess.ServiceController                                            7.0.1
   > System.Text.Encoding                                                               4.3.0
   > System.Text.Encoding.CodePages                                                     6.0.0
   > System.Text.Encoding.Extensions                                                    4.3.0
   > System.Text.Encodings.Web                                                          8.0.0
   > System.Text.Json                                                                   8.0.0
   > System.Text.RegularExpressions                                                     4.3.0
   > System.Threading                                                                   4.3.0
   > System.Threading.Channels                                                          4.7.1
   > System.Threading.Tasks                                                             4.3.0
   > System.Threading.Tasks.Extensions                                                  4.5.4
   > System.Threading.Timer                                                             4.3.0
   > System.Windows.Extensions                                                          6.0.0
   > System.Xml.ReaderWriter                                                            4.3.0
   > System.Xml.XDocument                                                               4.3.0
brentschmaltz commented 6 months ago

@AndersAbel thanks for the great repo.

When i ran your app, i saw the error as you said. I then noticed that Microsoft.IdentityModel.Protocols.OpenIdConnect was version 7.0.0 and Microsoft.IdentityModel.Tokens was 7.4.0. I then added the following to MvCode.csproj and everything worked.

Below would pull in 7.4.0 (latest) and also pull Microsoft.IdentityModel.Token 7.4.0, which will cause parsing of OpenIdConfiguration to fail as Microsoft.IdentityModel.Protocols.OpenIdConnect will be at version 7.0.0.

On the host app, I clicked on 'discovery document' now we have recent copy of IdentityServer metadata, we will add another unit test alongside Google and AzureAD to ensure against regressions of IdentityServer.

brentschmaltz commented 6 months ago

@m-wild you can see that you have different versions of Microsoft.IdentityModel.Tokens (7.4.0), Microsoft.IdentityModel.Protocols (7.0.0) and Microsoft.IdentityModel.Protocols.OpenidConnect (7.0.0).

The low-level serialization primitives are in M.IM.Tokens. The libraries must be the same version.

brentschmaltz commented 6 months ago

@kevinchalet i agree with your comment on https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2059#issuecomment-1563168001

However, last year i was not able to work (health issues) and may have missed your comment. Exactly as expressed, we started work on such a solution, but it was not finished. I have pushed my thoughts of the importance of this issue, up that stack, so we will see.

The good news is we are going to add a regression test with IdentityServers metadata.

m-wild commented 6 months ago

@brentschmaltz yep, understand that is the fix.

It's disappointing that this version coupling isn't expressed by the Nuget package dependencies. This should be a compile failure as the versions are incompatible (as indicated by a major version bump).

jennyf19 commented 6 months ago

Thanks everyone for all your input and help with root causing this. We will look into analyzers to help detect this issue as early as possible.

brentschmaltz commented 6 months ago

@m-wild we are going to fix the references. However, when Microsoft.IdentityModel.JsonWebToken is updated, only M.IM.Tokens will be pulled in. The issue with M.IM.Protocols.OpenIdConnect would still be an issue.

As Jennyf19 mentioned, we are going to get on this.

AndersAbel commented 6 months ago

It's disappointing that this version coupling isn't expressed by the Nuget package dependencies. This should be a compile failure as the versions are incompatible (as indicated by a major version bump).

I agree with @m-wild. Setting the Nuget package dependency to be an exact match between the IdentityModel packages would be the preferred solution.

kevinchalet commented 6 months ago

However, last year i was not able to work (health issues) and may have missed your comment. Exactly as expressed, we started work on such a solution, but it was not finished. I have pushed my thoughts of the importance of this issue, up that stack, so we will see.

No worries. I hope you're doing well now 😃

The good news is we are going to add a regression test with IdentityServers metadata.

More coverage is always good, but in this case, I'm not sure a classical unit test would have caught that since it requires a package versions mismatch that you wouldn't have in a typical tests project.

I really like the Roslyn analyzers approach. Let's hope it will materialize before the next breaking changes made to your internal helpers 😄

YaMoef commented 4 months ago

I'm running against this issue when I was upgrading from 7.0.3 to 7.5.1 (yes I know, quite an upgrade in one step) along with other NuGets, after this is started to have Cannot redirect to the authorization endpoint, the configuration may be missing or invalid. issues. After digging, I noticed it breaks when I upgrade from 7.3.1 to 7.4.0, so I came across this issue. But is this an issue on my end due to some configuration that needs to be updated, or no fix yet implemented? I used Auth0 as my IDP which I didn't see in this issue, so maybe this can be the issues? Thanks in advance

mr-davidc commented 4 months ago

I just ran into this issue as well and wasted time debugging. How frustrating. I'm using Duende Identity Server (like others in here) The fix for me was to install this package: Microsoft.IdentityModel.Protocols.OpenIdConnect (v7.5.1 at the time of writing) and the problem was resolved.

YaMoef commented 4 months ago

For me it did not solve the issue

YaMoef commented 4 months ago

@mr-davidc I misread your comment, I thought you were referring to Microsoft.IdentityModel.JsonWebTokens, but explicitly installing Microsoft.IdentityModel.JsonWebTokens:7.5.1 and Microsoft.IdentityModel.Protocols.OpenIdConnect:7.5.1 did the trick. Thanks

kieranbenton commented 3 months ago

I've just hit this problem for the second time in a couple of months.

I'm confused (and frustrated):

1) Why this is closed - surely if this is still an active issue in the ecosystem it should be left open, and a clear statement made about how to figure out which of your dependencies is the problem. Then to either upgrade that if possible OR put the workaround in place

2) Some kind of tracking made of which upstream packages are causing the issue? We have upgraded all of our dependencies to the latest non pre-release versions and we're still hitting the problem. We need to be tracking which of the dependencies are still using the old transitives and put pressure on them to do releases surely? The workaround shouldn't 'live forever'.

Dr-Madd commented 2 weeks ago

I've just hit this problem for the second time in a couple of months.

I'm confused (and frustrated):

  1. Why this is closed - surely if this is still an active issue in the ecosystem it should be left open, and a clear statement made about how to figure out which of your dependencies is the problem. Then to either upgrade that if possible OR put the workaround in place
  2. Some kind of tracking made of which upstream packages are causing the issue? We have upgraded all of our dependencies to the latest non pre-release versions and we're still hitting the problem. We need to be tracking which of the dependencies are still using the old transitives and put pressure on them to do releases surely? The workaround shouldn't 'live forever'.

I believe I hit a similar issue but in version 6. We are running Microsoft.aspnetcore.authentication.JwtBearer 6.0.12 which has a dependency on Microsoft.identitymodel.protocols.openidconnect 6.10.0 and it used to install system.identitymodel.tokens.jwt and Microsoft.identitymodel.jsonwebtokens 6.19 but suddenly just last week (August 27th) it now installs 6.15 which causes 401 unauthorized errors. We manually copied and pasted the correct versions from a working site and it worked again.

For us we are probably going to update Microsoft.aspnetcore.authentication.JwtBearer to 6.0.33 (the most recent for version 6) which installs version 6.35.0 of Microsoft.identitymodel.protocols.openidconnect, system.identitymodel.tokens.jwt and Microsoft.identitymodel.jsonwebtokens and seems to work on our dev site.

It sounds like a similar versioning issue anyway.