Open sgtfrankieboy opened 4 years ago
When you get the chance, send me a PM with your app key, and I'll see what I can dig up in the logs.
Just to note for folks, we have a limitation in the maximum length of the querystring on our site, and when logging in through Steam if your redirect URL is sufficiently long you may run into the same issue.
Right now they're working around it by finding (unfortunately painful for their implementation) ways of shortening their URL. I'm floating the idea of upping our querystring length limit, but unless that gets approved you may have to do the same if you run into this issue.
My url is fairly short "https://clanevents.net/signin-bungie". Is that considered too long? I did notice significant differences between the links to all other platforms and the one to Steam.
Example of Psn OAuth link (from the login page that pops up during the OAuth process) https://www.bungie.net/en/User/SignIn/Psnid?bru=/en/oauth/authorize?client_id=23694&scope=&response_type=code&redirect_uri=https://clanevents.net/signin-bungie&state={some state}&flowStart=1
Steam OAuth link (from the login page that pops up during the OAuth process) https://steamcommunity.com/openid/login?openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.return_to=https://www.bungie.net/en/User/SignIn/SteamId?bru=/en/oauth/authorize?client_id=23694&scope=&response_type=code&redirect_uri=https://clanevents.net/signin-bungie&state={some state}&flowStart=1&dnoa.userSuppliedIdentifier=dnoahttps://steamcommunity.com:443/openid&dnoa.request_nonce=0_pAaHhS1wgf3HnQ9HzC84mLcnCInd3P&dnoa.return_to_sig_handle=-33P&dnoa.return_to_sig=pTt11QUQLQl0zoTux ob3GkWxkXN74Tj8gfJ pT7AbU=&openid.realm=https://www.bungie.net/&openid.mode=checkid_setup&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.pape=http://specs.openid.net/extensions/pape/1.0&openid.pape.max_auth_age=1209600&openid.pape.preferred_auth_policies=&openid.ns.alias3=http://specs.openid.net/extensions/ui/1.0&openid.alias3.lang=en,en&openid.alias3.mode=popup&openid.alias3.icon=true
The redirect_uri parameter is optional. Bungie.net always uses the redirect URI that you specified in the portal. If the redirect_uri parameter is present, it verifies that they match, but does not need it. Try your flow without the redirect_uri parameter and see how it goes.
It doesn't seem to fix the issue.
Here is the url from the steam login page. As you can see I got rid of my redirect_uri.
The only other thing I can think of to shorten the query string is to create a state manually rather than use the default generated by ASP.Net Core middleware, or not add a state at all.
Hmm, not fun. I'm going to update the bug with this info - I haven't worked on the Steam auth side of our system, but it could be that there's something we can do on our side/that some of this is extraneous.
This one might be, since it’s a blank value:
&openid.pape.preferred_auth_policies=&
On Oct 16, 2019, at 17:38, Vendal Thornheart notifications@github.com wrote:
Hmm, not fun. I'm going to update the bug with this info - I haven't worked on the Steam auth side of our system, but it could be that there's something we can do on our side/that some of this is extraneous.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
Hello,
The problem seems to be caused by the length of the state
parameter. When connecting using the AspNetCore framework, the state contains some data, encrypted then base64, explaining its length.
As a workaround, we can configure a caching mechanism, allowing to pass a smaller state.
Any solution that allows a state would be helpful, and greatly appreciated. Frankly though I believe the issue is with how many other parameters are in the steam url. If you could look into trimming some of those out, perhaps discussing it with steam, you could achieve a more uniform process across the different platforms
The solution is strongly inspired by https://github.com/mclark1129/IdentityServer4.Samples.
I modified its CachedPropertiesDataFormat
to get the smallest state possible, but it's not mandatory, you can use it as is : https://github.com/mclark1129/IdentityServer4.Samples/blob/master/AzureAd_CustomStateDataFormat/src/QuickstartIdentityServer/Authentication/CachedPropertiesDataFormat.cs
If you are using a separate handler, you have to override the InitializeHandlerAsync
method to inject your own implementation.
namespace WebApp.Bungie.Authentication
{
public class BungieAuthenticationHandler : OAuthHandler<BungieAuthenticationOptions>
{
private readonly IServiceProvider _serviceProvider;
public BungieAuthenticationHandler(
IServiceProvider serviceProvider,
IOptionsMonitor<BungieAuthenticationOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock)
: base(options, logger, encoder, clock)
{
_serviceProvider = serviceProvider;
}
protected override Task InitializeHandlerAsync()
{
Options.StateDataFormat = _serviceProvider.GetRequiredService<ISecureDataFormat<AuthenticationProperties>>();
return base.InitializeHandlerAsync();
}
// ...
}
}
@gregservera Just wanted to let you know that I implemented the solution you recommended successfully, so thank you for the tip.
When trying to execute the OAuth flow using Steam I get a 404 Not Found on Bungie.net.
The url that 404's is
https://www.bungie.net/en/User/SignIn/SteamId?bru={lots of gibberish}