search

DuendeSoftware / IdentityServer

The most flexible and standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core
https://duendesoftware.com/products/identityserver
Other
1.49k stars 344 forks source link

PromptMode Login with Pushed Authorization Requests Get Stuck in Login Loop #1562

Closed andrew-from-toronto closed 5 months ago

andrew-from-toronto commented 5 months ago

Which version of Duende IdentityServer are you using? v7.0.4

Which version of .NET are you using? net8.0

Describe the bug When using promptmode login, and PARs IdentityServer puts the user into a login loop. Although the prompt is "removed" during the authorization flow the PAR is seemingly never updated or replaced in the store with the new request and so the original prompt mode ends up being reprocessed causing the loop.

To Reproduce Should be as simple as trying to have a client use prompt=login with PAR

Expected behavior No login loop, prompt mode is cleared in the PAR correctly.

Log output/exception with stacktrace

dbug: Duende.IdentityServer.Hosting.EndpointRouter[0]
      Request path /connect/authorize matched to endpoint type Authorize
dbug: Duende.IdentityServer.Hosting.EndpointRouter[0]
      Endpoint enabled: Authorize, successfully created handler: Duende.IdentityServer.Endpoints.AuthorizeEndpoint
info: Duende.IdentityServer.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.AuthorizeEndpoint for /connect/authorize
dbug: Duende.IdentityServer.Endpoints.AuthorizeEndpoint[0]
      Start authorize request
dbug: Duende.IdentityServer.Endpoints.AuthorizeEndpoint[0]
      User in authorize request: a125831d-1ae7-4e15-a08c-be67c421c465
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Start authorize request protocol validation
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.EntityFramework.Stores.PushedAuthorizationRequestStore[0]
      IAIlfNuzHs/aWD7E1/l9QrJ51lvj9++ElCJHHR9AqM4= pushed authorization found in database: True
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Checking for PKCE parameters
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator
dbug: Duende.IdentityServer.Endpoints.AuthorizeEndpoint[0]
      ValidatedAuthorizeRequest
      {
        "ClientId": "SampleClientId",
        "ClientName": "Sample Client",
        "RedirectUri": "sample-client://",
        "AllowedRedirectUris": [
          "sample-client://"
        ],
        "SubjectId": "a125831d-1ae7-4e15-a08c-be67c421c465",
        "ResponseType": "code",
        "ResponseMode": "query",
        "GrantType": "authorization_code",
        "RequestedScopes": "openid offline_access",
        "State": "Dq7WQgM8QZrw4rLLDmW4ow",
        "PromptMode": "login",
        "SessionId": "246C9028A0A6391B9CADA7F76762FAB9",
        "Raw": {
          "response_type": "code",
          "state": "Dq7WQgM8QZrw4rLLDmW4ow",
          "code_challenge": "nbc4DX04uYy8IJ92RAWK2Gtv6jrKlgd0YVNc2NAsKMI",
          "code_challenge_method": "S256",
          "client_id": "SampleClientId",
          "scope": "openid offline_access",
          "redirect_uri": "sample-client://",
          "prompt": "login"
        }
      }
info: Duende.IdentityServer.ResponseHandling.AuthorizeInteractionResponseGenerator[0]
      Showing login: request contains prompt=login
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Start authorize request protocol validation
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.EntityFramework.Stores.PushedAuthorizationRequestStore[0]
      IAIlfNuzHs/aWD7E1/l9QrJ51lvj9++ElCJHHR9AqM4= pushed authorization found in database: True
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Checking for PKCE parameters
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.Hosting.CorsPolicyProvider[0]
      IdentityServer CorsPolicyService didn't handle CORS request made for path: /login from origin: null because it is not for an IdentityServer CORS endpoint. To allow CORS requests to non IdentityServer endpoints, please set up your own Cors policy for your application by calling app.UseCors("MyPolicy") in the pipeline setup.
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Start authorize request protocol validation
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.EntityFramework.Stores.PushedAuthorizationRequestStore[0]
      IAIlfNuzHs/aWD7E1/l9QrJ51lvj9++ElCJHHR9AqM4= pushed authorization found in database: True
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Checking for PKCE parameters
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Start authorize request protocol validation
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.EntityFramework.Stores.PushedAuthorizationRequestStore[0]
      IAIlfNuzHs/aWD7E1/l9QrJ51lvj9++ElCJHHR9AqM4= pushed authorization found in database: True
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Checking for PKCE parameters
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.Hosting.CorsPolicyProvider[0]
      IdentityServer CorsPolicyService didn't handle CORS request made for path: /login from origin: null because it is not for an IdentityServer CORS endpoint. To allow CORS requests to non IdentityServer endpoints, please set up your own Cors policy for your application by calling app.UseCors("MyPolicy") in the pipeline setup.
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Start authorize request protocol validation
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.EntityFramework.Stores.PushedAuthorizationRequestStore[0]
      IAIlfNuzHs/aWD7E1/l9QrJ51lvj9++ElCJHHR9AqM4= pushed authorization found in database: True
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Checking for PKCE parameters
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator
dbug: Duende.IdentityServer.Hosting.IdentityServerAuthenticationService[0]
      Augmenting SignInContext
dbug: Duende.IdentityServer.Hosting.IdentityServerAuthenticationService[0]
      Adding idp claim with value: local
dbug: Duende.IdentityServer.Hosting.IdentityServerAuthenticationService[0]
      Adding amr claim with value: pwd
dbug: Duende.IdentityServer.Hosting.IdentityServerAuthenticationService[0]
      Adding auth_time claim with value: 1716906093
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.Hosting.EndpointRouter[0]
      Request path /connect/authorize/callback matched to endpoint type Authorize
dbug: Duende.IdentityServer.Hosting.EndpointRouter[0]
      Endpoint enabled: Authorize, successfully created handler: Duende.IdentityServer.Endpoints.AuthorizeCallbackEndpoint
info: Duende.IdentityServer.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback
dbug: Duende.IdentityServer.Endpoints.AuthorizeCallbackEndpoint[0]
      Start authorize callback request
dbug: Duende.IdentityServer.Endpoints.AuthorizeCallbackEndpoint[0]
      User in authorize request: a125831d-1ae7-4e15-a08c-be67c421c465
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Start authorize request protocol validation
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.EntityFramework.Stores.PushedAuthorizationRequestStore[0]
      IAIlfNuzHs/aWD7E1/l9QrJ51lvj9++ElCJHHR9AqM4= pushed authorization found in database: True
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Checking for PKCE parameters
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator
dbug: Duende.IdentityServer.Endpoints.AuthorizeCallbackEndpoint[0]
      ValidatedAuthorizeRequest
      {
        "ClientId": "SampleClientId",
        "ClientName": "Sample Client",
        "RedirectUri": "sample-client://",
        "AllowedRedirectUris": [
          "sample-client://"
        ],
        "SubjectId": "a125831d-1ae7-4e15-a08c-be67c421c465",
        "ResponseType": "code",
        "ResponseMode": "query",
        "GrantType": "authorization_code",
        "RequestedScopes": "openid offline_access",
        "State": "Dq7WQgM8QZrw4rLLDmW4ow",
        "PromptMode": "login",
        "SessionId": "246C9028A0A6391B9CADA7F76762FAB9",
        "Raw": {
          "response_type": "code",
          "state": "Dq7WQgM8QZrw4rLLDmW4ow",
          "code_challenge": "nbc4DX04uYy8IJ92RAWK2Gtv6jrKlgd0YVNc2NAsKMI",
          "code_challenge_method": "S256",
          "client_id": "SampleClientId",
          "scope": "offline_access",
          "redirect_uri": "sample-client://",
          "prompt": "login"
        }
      }
info: Duende.IdentityServer.ResponseHandling.AuthorizeInteractionResponseGenerator[0]
      Showing login: request contains prompt=login
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Start authorize request protocol validation
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.
dbug: Duende.IdentityServer.EntityFramework.Stores.PushedAuthorizationRequestStore[0]
      IAIlfNuzHs/aWD7E1/l9QrJ51lvj9++ElCJHHR9AqM4= pushed authorization found in database: True
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Checking for PKCE parameters
dbug: Duende.IdentityServer.Validation.AuthorizeRequestValidator[0]
      Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator
dbug: Duende.IdentityServer.Stores.ValidatingClientStore[0]
      client configuration validation for client SampleClientId succeeded.

Additional context We are an enterprise customer if that matters

josephdecock commented 5 months ago

Thanks for the bug report! I'm investigating this now.

josephdecock commented 5 months ago

@andrew-from-toronto We just released IdentityServer 7.0.5 which includes a fix for this. Enjoy!

andrew-from-toronto commented 5 months ago

Thank you, much appreciated. Will be upgrading today