Closed chris-briddock closed 6 months ago
I don't know if this is the same thing, but we also see a breaking change from 7.3.1 to 7.4.0:
System.InvalidOperationException: Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
at Microsoft.AspNetCore.Http.HttpResults.ChallengeHttpResult.ExecuteAsync(HttpContext httpContext)
at Microsoft.AspNetCore.Http.RequestDelegateFactory.ExecuteResultWriteResponse(IResult result, HttpContext httpContext)
This code works fine with 7.3.1, fails on 7.4.0 with the above message:
app.MapGet("/login", () =>
{
// Frontend URL to go to after the callback has finished
return Results.Challenge(new AuthenticationProperties { RedirectUri = "/authdone" });
})
.WithName("login")
.WithOpenApi();
We also see breaking change when updating from 7.3.1 to 7.4.0
"exception": {
"Type": "Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException",
"TargetSite": "Microsoft.IdentityModel.JsonWebTokens.JsonWebToken ValidateSignature(Microsoft.IdentityModel.JsonWebTokens.JsonWebToken, Microsoft.IdentityModel.Tokens.TokenValidationParameters, Microsoft.IdentityModel.Tokens.BaseConfiguration)",
"Message": "IDX10500: Signature validation failed. No security keys were provided to validate the signature.",
"Data": {},
"Source": "Microsoft.IdentityModel.JsonWebTokens",
"HResult": -2146233088,
"StackTrace": " at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)\n at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)\n at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)"
}
It seems the OpenIdConnectConfigurationSerializer
broke, possibly a "double token read" or something.
The first item is read correctly, just the 2nd one that fails.
The following test works on 7.3.1, but fails on 7.4.0.
[Test]
public void OpenIdConnectConfiguration_FromJson_Should_Work()
{
var json = @"{""issuer"": ""http://localhost"",""jwks_uri"": ""http://localhost""}";
var config = OpenIdConnectConfiguration.Create(json);
config.JwksUri.Should().Be("http://localhost");
}
We have the same issue. Specifically we are seeing the "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid." exception after the upgrade.
Is there a workaround?
@chris-briddock @rmmason @rlf @yborektsioglou looking into it.
@rlf thanks for the repo.
@rlf i added the test to this branch and it passed on windows VM.
@yborektsioglou it looks like we are not obtaining the security keys. Can you share the discovery endpoint you are hitting?
@rmmason @christophwille this error doesn't seem related to security keys, but redirecting to the OIDC authorization endpoint. There were some changes to OpenIdConnectMessage that may be the culprit.
I will look there.
@rmmason do you have a stack trace?
@christophwille can you provide us with a little bit of additional source code so i can run the repo? Thank.
@christophwille can you provide us with a little bit of additional source code so i can run the repo? Thank.
That is about as much as I can show... underlying (hidden by another level) is actually Salesforce authN which has a specific issue in that the defaults for Scope and ResponseType need to be set as shown below:
services.AddAuthentication(opt =>
{
opt.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.SlidingExpiration = true;
options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, opt =>
{
opt.Authority = "our-authority";
opt.ClientId = "our-clientid";
opt.ResponseType = OpenIdConnectResponseType.Code; // IdToken not supported in our case
opt.Scope.Clear(); // ctor adds 'profile' too, but that is not supported by our case
opt.Scope.Add("openid");
opt.CallbackPath = "/api/login/callback";
Hi @brentschmaltz,
Thanks for looking in to this for us.
Stack trace is as follows:
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.1.<ChallengeAsync>d__60.MoveNext() in Microsoft.AspNetCore.Authentication\AuthenticationHandler.cs:line 187 at Microsoft.AspNetCore.Authentication.AuthenticationService.<ChallengeAsync>d__15.MoveNext() at Microsoft.AspNetCore.Mvc.ChallengeResult.<ExecuteResultAsync>d__14.MoveNext() in Microsoft.AspNetCore.Mvc\ChallengeResult.cs:line 86 at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<<InvokeResultAsync>g__Logged|22_0>d.MoveNext() in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 567 at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<<InvokeNextResultFilterAsync>g__Awaited|30_0>d
2.MoveNext() in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 1292
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResultExecutedContextSealed context) in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 1362
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.ResultNext[TFilter,TFilterAsync](State& next, Scope& scope, Object& state, Boolean& isCompleted) in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 1254
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeResultFilters() in Microsoft.AspNetCore.Mvc.Infrastructure\ResourceInvoker.cs:line 1104
This is actually something one of my colleagues is working on. I'm a bit tied up at the moment but I'll attempt to recreate a repro project as soon as I get a moment.
@yborektsioglou it looks like we are not obtaining the security keys. Can you share the discovery endpoint you are hitting?
Hi @brentschmaltz,
Thanks for looking into this. We're hitting the token endpoint. I'm a bit tied up with other stuff at the moment but I see if I can provide more info
I've tested this with Duende IdentityServer. I can confirm that upgrading a simple MVC code flow client to use Wilson 7.4.0 breaks OpenID Connect login.
InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set.
System.Net.Http.HttpClient.PrepareRequestMessage(HttpRequestMessage request)
AuthenticationFailureException: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
Stack Query Cookies Headers Routing
InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set.
System.Net.Http.HttpClient.PrepareRequestMessage(HttpRequestMessage request)
System.Net.Http.HttpClient.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
Show raw exception details
AuthenticationFailureException: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
I used a debugger to check the values and it passes null
for the token endpoint address. This indicates that the discovery document was not properly read.
Repro is available at https://github.com/DuendeSoftware/IdentityServer/tree/anders/wilson-7.4.0. Run hosts\main project and then run clients\MvcCode on the same time. Try clicking "Secure" in the client app and login (alice/alice) to make it fail.
I encountered this upgrading to ASP.NET Core 8. Disappointing bug. It appears the cause is the OpenIdConnectConfigurationSerializer here is too eagerly advancing to the next JSON token after reading a value in the document body. So for example with document:
{
"issuer": "https://localhost",
"authorization_endpoint": "https://localhost/connect/authorize",
...
}
After the issuer value is read, the current token is the "authorization_endpoint" property when it shouldn't be. The while loop advances to the next token which becomes the authorization endpoint value, not the property name.
Please add more thorough tests!...Lost a full day tracking down NuGet upgrade path and root cause.
@dahovey we need to advance to the next token, which should be a propertyname. One the testing front, we added tests for Google, AADv1 and V2 as well as numerous tests for json objects in the middle.
@AndersAbel long time, thanks for the repo.
@dahovey can tell us the version of all IdentityModel assemblies you are using?
@brentschmaltz Actually 7.3.1
was resolved within the running container. My IDE was showing 7.4.0
which caused me some confusion. I was not explicitly referencing Microsoft.IdentityModel.Protocols.OpenIdConnect
but it was referenced by OpenIdDict, Microsoft.Graph and Microsoft.AspNetCore.Authentication.OpenIdConnect`
I added an explicit reference to version 7.4.0
and the problem went away. If it helps anyone else, adding below may help:
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.4.0" />
@brentschmaltz Thanks for your assistance
you need to unlist v7.4.0. It causes a lot of issues. Then bump the major version and publish again.
We also see a problem with "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid." after upgrading to 7.4.0 from 7.3.1
I've tested this with Duende IdentityServer. I can confirm that upgrading a simple MVC code flow client to use Wilson 7.4.0 breaks OpenID Connect login.
InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set. System.Net.Http.HttpClient.PrepareRequestMessage(HttpRequestMessage request) AuthenticationFailureException: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync() Stack Query Cookies Headers Routing InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set. System.Net.Http.HttpClient.PrepareRequestMessage(HttpRequestMessage request) System.Net.Http.HttpClient.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken) Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest) Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync() Show raw exception details AuthenticationFailureException: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync() Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
I used a debugger to check the values and it passes
null
for the token endpoint address. This indicates that the discovery document was not properly read.Repro is available at https://github.com/DuendeSoftware/IdentityServer/tree/anders/wilson-7.4.0. Run hosts\main project and then run clients\MvcCode on the same time. Try clicking "Secure" in the client app and login (alice/alice) to make it fail.
@AndersAbel
Can you share the transitive dependencies? You would need to run this command;
dotnet restore [yourproject].csproj
dotnet list [yourproject].csproj package --include-transitive
It's indeed a packages mismatch issue: https://github.com/openiddict/openiddict-core/issues/2033#issuecomment-1992427787.
The issue was introduced by https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/051d164e3c025a0d7276f1d6acf38c902a4893fc: you changed the internal implementation of a static helper in Microsoft.IdentityModel.Tokens
and updated OpenIdConnectConfigurationSerializer
in Microsoft.IdentityModel.Protocols.OpenIdConnect
to use the new logic.
The thing is, if users only update Microsoft.IdentityModel.Tokens
to 7.4.0 (or any package that depends on it, like Microsoft.IdentityModel.JsonWebTokens
for instance) without updating Microsoft.IdentityModel.Protocols.OpenIdConnect
too, OpenIdConnectConfigurationSerializer
will use the new version of the serializer and will be unable to deserialize the configuration properly.
It's not the first time we're seeing bugs caused by changes in your internal helpers and it's getting a bit ridiculous at this point. You should really consider embedding your helpers in each assembly to avoid such issues, as I had suggested last time: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2059#issuecomment-1563168001
Same issue here
Seems pretty clear the issue is this
> Microsoft.IdentityModel.Protocols.OpenIdConnect 7.0.0 7.0.0
> System.IdentityModel.Tokens.Jwt 7.4.0 7.4.0
Updating Microsoft.IdentityModel.Protocols.OpenIdConnect to 7.4.0 fixes the issue.
Why is the document deserialized manually? surely this can't be any more secure? And bugs like this just highlight why you shouldn't do manual deserialization.
(I've removed all the non-Microsoft, non-System packages from the output...)
Project '<redacted>' has the following package references
[net7.0]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.Authentication.Facebook 7.0.11 7.0.11
> Microsoft.AspNetCore.Authentication.Google 7.0.11 7.0.11
> Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation 7.0.11 7.0.11
> Microsoft.Data.SqlClient 5.1.5 5.1.5
> Microsoft.EntityFrameworkCore 7.0.16 7.0.16
> Microsoft.EntityFrameworkCore.SqlServer 7.0.16 7.0.16
> Microsoft.Extensions.Caching.SqlServer 7.0.11 7.0.11
> Microsoft.Extensions.Hosting.WindowsServices 7.0.1 7.0.1
> Microsoft.Identity.Web 2.13.4 2.13.4
> Microsoft.IdentityModel.Protocols.OpenIdConnect 7.0.0 7.0.0
> System.IdentityModel.Tokens.Jwt 7.4.0 7.4.0
Transitive Package Resolved
> IdentityModel 6.1.0
> Microsoft.AspNetCore.Authentication.JwtBearer 7.0.16
> Microsoft.AspNetCore.Authentication.OpenIdConnect 7.0.1
> Microsoft.AspNetCore.Cryptography.Internal 7.0.10
> Microsoft.AspNetCore.DataProtection 7.0.10
> Microsoft.AspNetCore.DataProtection.Abstractions 7.0.10
> Microsoft.AspNetCore.JsonPatch 7.0.16
> Microsoft.AspNetCore.Mvc.NewtonsoftJson 7.0.16
> Microsoft.AspNetCore.Mvc.Razor.Extensions 6.0.0
> Microsoft.AspNetCore.Razor.Language 6.0.0
> Microsoft.Bcl.AsyncInterfaces 8.0.0
> Microsoft.CodeAnalysis.Analyzers 3.3.2
> Microsoft.CodeAnalysis.Common 4.0.0
> Microsoft.CodeAnalysis.CSharp 4.0.0
> Microsoft.CodeAnalysis.Razor 6.0.0
> Microsoft.CSharp 4.7.0
> Microsoft.Data.SqlClient.SNI.runtime 5.1.1
> Microsoft.EntityFrameworkCore.Abstractions 7.0.16
> Microsoft.EntityFrameworkCore.Analyzers 7.0.16
> Microsoft.EntityFrameworkCore.Relational 7.0.16
> Microsoft.Extensions.ApiDescription.Server 6.0.5
> Microsoft.Extensions.Caching.Abstractions 8.0.0
> Microsoft.Extensions.Caching.Memory 8.0.0
> Microsoft.Extensions.Configuration 8.0.0
> Microsoft.Extensions.Configuration.Abstractions 8.0.0
> Microsoft.Extensions.Configuration.Binder 8.0.0
> Microsoft.Extensions.Configuration.CommandLine 7.0.0
> Microsoft.Extensions.Configuration.EnvironmentVariables 8.0.0
> Microsoft.Extensions.Configuration.FileExtensions 7.0.0
> Microsoft.Extensions.Configuration.Json 7.0.0
> Microsoft.Extensions.Configuration.UserSecrets 7.0.0
> Microsoft.Extensions.DependencyInjection 8.0.0
> Microsoft.Extensions.DependencyInjection.Abstractions 8.0.0
> Microsoft.Extensions.DependencyModel 8.0.0
> Microsoft.Extensions.Diagnostics.Abstractions 8.0.0
> Microsoft.Extensions.Diagnostics.HealthChecks 8.0.0
> Microsoft.Extensions.Diagnostics.HealthChecks.Abstractions 8.0.0
> Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore 6.0.8
> Microsoft.Extensions.FileProviders.Abstractions 8.0.0
> Microsoft.Extensions.FileProviders.Physical 7.0.0
> Microsoft.Extensions.FileSystemGlobbing 7.0.0
> Microsoft.Extensions.Hosting 7.0.1
> Microsoft.Extensions.Hosting.Abstractions 8.0.0
> Microsoft.Extensions.Http 8.0.0
> Microsoft.Extensions.Logging 8.0.0
> Microsoft.Extensions.Logging.Abstractions 8.0.0
> Microsoft.Extensions.Logging.Configuration 8.0.0
> Microsoft.Extensions.Logging.Console 7.0.0
> Microsoft.Extensions.Logging.Debug 7.0.0
> Microsoft.Extensions.Logging.EventLog 7.0.0
> Microsoft.Extensions.Logging.EventSource 7.0.0
> Microsoft.Extensions.Options 8.0.2
> Microsoft.Extensions.Options.ConfigurationExtensions 8.0.0
> Microsoft.Extensions.Primitives 8.0.0
> Microsoft.Identity.Abstractions 4.1.0
> Microsoft.Identity.Client 4.56.0
> Microsoft.Identity.Client.Extensions.Msal 4.56.0
> Microsoft.Identity.Web.Certificate 2.13.4
> Microsoft.Identity.Web.Certificateless 2.13.4
> Microsoft.Identity.Web.Diagnostics 2.13.4
> Microsoft.Identity.Web.TokenAcquisition 2.13.4
> Microsoft.Identity.Web.TokenCache 2.13.4
> Microsoft.IdentityModel.Abstractions 7.4.0
> Microsoft.IdentityModel.JsonWebTokens 7.4.0
> Microsoft.IdentityModel.Logging 7.4.0
> Microsoft.IdentityModel.LoggingExtensions 6.32.3
> Microsoft.IdentityModel.Protocols 7.0.0
> Microsoft.IdentityModel.Tokens 7.4.0
> Microsoft.IdentityModel.Validators 6.32.3
> Microsoft.NETCore.Platforms 1.1.0
> Microsoft.NETCore.Targets 1.1.0
> Microsoft.OpenApi 1.2.3
> Microsoft.SqlServer.Server 1.0.0
> Microsoft.Win32.Primitives 4.3.0
> Microsoft.Win32.SystemEvents 6.0.0
> NETStandard.Library 1.6.1
> runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.native.System 4.3.0
> runtime.native.System.IO.Compression 4.3.0
> runtime.native.System.Net.Http 4.3.0
> runtime.native.System.Security.Cryptography.Apple 4.3.0
> runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.opensuse.13.2-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.Apple 4.3.0
> runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0
> System.AppContext 4.3.0
> System.Buffers 4.3.0
> System.Collections 4.3.0
> System.Collections.Concurrent 4.3.0
> System.Collections.Immutable 5.0.0
> System.Configuration.ConfigurationManager 6.0.1
> System.Console 4.3.0
> System.Data.Common 4.3.0
> System.Data.HashFunction.Core 2.0.0
> System.Data.HashFunction.Interfaces 2.0.0
> System.Data.HashFunction.xxHash 2.0.0
> System.Diagnostics.Debug 4.3.0
> System.Diagnostics.DiagnosticSource 8.0.0
> System.Diagnostics.EventLog 7.0.0
> System.Diagnostics.Tools 4.3.0
> System.Diagnostics.Tracing 4.3.0
> System.Drawing.Common 6.0.0
> System.Formats.Asn1 7.0.0
> System.Globalization 4.3.0
> System.Globalization.Calendars 4.3.0
> System.Globalization.Extensions 4.3.0
> System.IO 4.3.0
> System.IO.Compression 4.3.0
> System.IO.Compression.ZipFile 4.3.0
> System.IO.FileSystem 4.3.0
> System.IO.FileSystem.AccessControl 5.0.0
> System.IO.FileSystem.Primitives 4.3.0
> System.Linq 4.3.0
> System.Linq.Expressions 4.3.0
> System.Memory 4.5.4
> System.Memory.Data 1.0.2
> System.Net.Http 4.3.0
> System.Net.Primitives 4.3.0
> System.Net.Sockets 4.3.0
> System.Numerics.Vectors 4.5.0
> System.ObjectModel 4.3.0
> System.Reflection 4.3.0
> System.Reflection.Emit 4.3.0
> System.Reflection.Emit.ILGeneration 4.3.0
> System.Reflection.Emit.Lightweight 4.3.0
> System.Reflection.Extensions 4.3.0
> System.Reflection.Metadata 5.0.0
> System.Reflection.Primitives 4.3.0
> System.Resources.ResourceManager 4.3.0
> System.Runtime 4.3.0
> System.Runtime.Caching 6.0.0
> System.Runtime.CompilerServices.Unsafe 6.0.0
> System.Runtime.Extensions 4.3.0
> System.Runtime.Handles 4.3.0
> System.Runtime.InteropServices 4.3.0
> System.Runtime.InteropServices.RuntimeInformation 4.3.0
> System.Runtime.Numerics 4.3.0
> System.Security.AccessControl 6.0.0
> System.Security.Cryptography.Algorithms 4.3.0
> System.Security.Cryptography.Cng 5.0.0
> System.Security.Cryptography.Csp 4.3.0
> System.Security.Cryptography.Encoding 4.3.0
> System.Security.Cryptography.OpenSsl 4.3.0
> System.Security.Cryptography.Pkcs 7.0.2
> System.Security.Cryptography.Primitives 4.3.0
> System.Security.Cryptography.ProtectedData 6.0.0
> System.Security.Cryptography.X509Certificates 4.3.0
> System.Security.Cryptography.Xml 7.0.1
> System.Security.Permissions 6.0.0
> System.Security.Principal.Windows 5.0.0
> System.ServiceProcess.ServiceController 7.0.1
> System.Text.Encoding 4.3.0
> System.Text.Encoding.CodePages 6.0.0
> System.Text.Encoding.Extensions 4.3.0
> System.Text.Encodings.Web 8.0.0
> System.Text.Json 8.0.0
> System.Text.RegularExpressions 4.3.0
> System.Threading 4.3.0
> System.Threading.Channels 4.7.1
> System.Threading.Tasks 4.3.0
> System.Threading.Tasks.Extensions 4.5.4
> System.Threading.Timer 4.3.0
> System.Windows.Extensions 6.0.0
> System.Xml.ReaderWriter 4.3.0
> System.Xml.XDocument 4.3.0
@AndersAbel thanks for the great repo.
When i ran your app, i saw the error as you said. I then noticed that Microsoft.IdentityModel.Protocols.OpenIdConnect was version 7.0.0 and Microsoft.IdentityModel.Tokens was 7.4.0. I then added the following to MvCode.csproj and everything worked.
Below would pull in 7.4.0 (latest) and also pull Microsoft.IdentityModel.Token 7.4.0, which will cause parsing of OpenIdConfiguration to fail as Microsoft.IdentityModel.Protocols.OpenIdConnect will be at version 7.0.0.
On the host app, I clicked on 'discovery document' now we have recent copy of IdentityServer metadata, we will add another unit test alongside Google and AzureAD to ensure against regressions of IdentityServer.
@m-wild you can see that you have different versions of Microsoft.IdentityModel.Tokens (7.4.0), Microsoft.IdentityModel.Protocols (7.0.0) and Microsoft.IdentityModel.Protocols.OpenidConnect (7.0.0).
The low-level serialization primitives are in M.IM.Tokens. The libraries must be the same version.
@kevinchalet i agree with your comment on https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2059#issuecomment-1563168001
However, last year i was not able to work (health issues) and may have missed your comment. Exactly as expressed, we started work on such a solution, but it was not finished. I have pushed my thoughts of the importance of this issue, up that stack, so we will see.
The good news is we are going to add a regression test with IdentityServers metadata.
@brentschmaltz yep, understand that is the fix.
It's disappointing that this version coupling isn't expressed by the Nuget package dependencies. This should be a compile failure as the versions are incompatible (as indicated by a major version bump).
Thanks everyone for all your input and help with root causing this. We will look into analyzers to help detect this issue as early as possible.
@m-wild we are going to fix the references. However, when Microsoft.IdentityModel.JsonWebToken is updated, only M.IM.Tokens will be pulled in. The issue with M.IM.Protocols.OpenIdConnect would still be an issue.
As Jennyf19 mentioned, we are going to get on this.
It's disappointing that this version coupling isn't expressed by the Nuget package dependencies. This should be a compile failure as the versions are incompatible (as indicated by a major version bump).
I agree with @m-wild. Setting the Nuget package dependency to be an exact match between the IdentityModel packages would be the preferred solution.
However, last year i was not able to work (health issues) and may have missed your comment. Exactly as expressed, we started work on such a solution, but it was not finished. I have pushed my thoughts of the importance of this issue, up that stack, so we will see.
No worries. I hope you're doing well now 😃
The good news is we are going to add a regression test with IdentityServers metadata.
More coverage is always good, but in this case, I'm not sure a classical unit test would have caught that since it requires a package versions mismatch that you wouldn't have in a typical tests project.
I really like the Roslyn analyzers approach. Let's hope it will materialize before the next breaking changes made to your internal helpers 😄
I'm running against this issue when I was upgrading from 7.0.3 to 7.5.1 (yes I know, quite an upgrade in one step) along with other NuGets, after this is started to have Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.
issues. After digging, I noticed it breaks when I upgrade from 7.3.1 to 7.4.0, so I came across this issue. But is this an issue on my end due to some configuration that needs to be updated, or no fix yet implemented?
I used Auth0 as my IDP which I didn't see in this issue, so maybe this can be the issues?
Thanks in advance
I just ran into this issue as well and wasted time debugging. How frustrating.
I'm using Duende Identity Server (like others in here) The fix for me was to install this package: Microsoft.IdentityModel.Protocols.OpenIdConnect
(v7.5.1 at the time of writing) and the problem was resolved.
For me it did not solve the issue
@mr-davidc I misread your comment, I thought you were referring to Microsoft.IdentityModel.JsonWebTokens
, but explicitly installing Microsoft.IdentityModel.JsonWebTokens:7.5.1
and Microsoft.IdentityModel.Protocols.OpenIdConnect:7.5.1
did the trick. Thanks
I've just hit this problem for the second time in a couple of months.
I'm confused (and frustrated):
1) Why this is closed - surely if this is still an active issue in the ecosystem it should be left open, and a clear statement made about how to figure out which of your dependencies is the problem. Then to either upgrade that if possible OR put the workaround in place
2) Some kind of tracking made of which upstream packages are causing the issue? We have upgraded all of our dependencies to the latest non pre-release versions and we're still hitting the problem. We need to be tracking which of the dependencies are still using the old transitives and put pressure on them to do releases surely? The workaround shouldn't 'live forever'.
I've just hit this problem for the second time in a couple of months.
I'm confused (and frustrated):
- Why this is closed - surely if this is still an active issue in the ecosystem it should be left open, and a clear statement made about how to figure out which of your dependencies is the problem. Then to either upgrade that if possible OR put the workaround in place
- Some kind of tracking made of which upstream packages are causing the issue? We have upgraded all of our dependencies to the latest non pre-release versions and we're still hitting the problem. We need to be tracking which of the dependencies are still using the old transitives and put pressure on them to do releases surely? The workaround shouldn't 'live forever'.
I believe I hit a similar issue but in version 6. We are running Microsoft.aspnetcore.authentication.JwtBearer 6.0.12 which has a dependency on Microsoft.identitymodel.protocols.openidconnect 6.10.0 and it used to install system.identitymodel.tokens.jwt and Microsoft.identitymodel.jsonwebtokens 6.19 but suddenly just last week (August 27th) it now installs 6.15 which causes 401 unauthorized errors. We manually copied and pasted the correct versions from a working site and it worked again.
For us we are probably going to update Microsoft.aspnetcore.authentication.JwtBearer to 6.0.33 (the most recent for version 6) which installs version 6.35.0 of Microsoft.identitymodel.protocols.openidconnect, system.identitymodel.tokens.jwt and Microsoft.identitymodel.jsonwebtokens and seems to work on our dev site.
It sounds like a similar versioning issue anyway.
I am using version 7.3.1 in production and dependabot has upgraded from 7.3.1 to 7.4.0 but there is breaking changes.
Please could you take a look at this: https://github.com/chris-briddock/ChristopherBriddock.Identity/pull/62 https://dev.azure.com/chris1997/ChristopherBriddock.Identity/_build/results?buildId=798&view=logs&j=7e6a3fb7-dbfe-5169-4db8-92b72295ba6c&t=45683e7c-5c24-5fa1-4844-9f376a3fcc8a&l=702
Expected behavior All tests pass.
Actual behavior Tests that require this library fail.