search

DuendeSoftware / Support

Support for Duende Software products
20 stars 0 forks source link

OpenIdConnectAuthenticationHandler: message.State is null or empty. #1268

Closed merijndejonge closed 2 months ago

merijndejonge commented 2 months ago

Which version of Duende IdentityServer are you using? 7.0.1 Which version of .NET are you using? net8.0 Describe the bug I'm using Duende Identity server and Microsoft as external identity server. I'm using AddOpenIdConnect to set it all up. Everything works perfectly fine except when Microsoft is making a callback as a result of granting tenant-wide admin consent for my app. This callback is not handled correctly and issues the following Exception:

[2024-05-25` 22:22:08 ERR] An unhandled exception has occurred while executing the request.
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
 ---> Microsoft.AspNetCore.Authentication.AuthenticationFailureException: OpenIdConnectAuthenticationHandler: message.State is null or empty.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 38
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
   at Serilog.AspNetCore.RequestLoggingMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Tenant-wide admin consent is granted using the URL https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id} and documented at https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#construct-the-url-for-granting-tenant-wide-admin-consent.

It triggers the following callback to my identity server:

https://<my-server>/signin-microsoft?admin_consent=True&tenant=<teant-id>

The path /signin-microsoft is correct and according to my setup.

To Reproduce

Open the URL https://<my-server>/signin-microsoft?admin_consent=True&tenant=<teant-id> in a browser will trigger the exception.

Expected behavior Not sure what should happen, but not an exception. Is there a way I can control how to handle this request perhaps?

RolandGuijt commented 2 months ago

This is probably not related to IdentityServer. Can you please setup a test application that doesn't use IdentityServer and report back with the results?

merijndejonge commented 2 months ago

To be honest, I’m not sure about how to do that…

AndersAbel commented 2 months ago

This interaction is really outside of IdentityServer. It is all bout Microsoft Entra ID and how it generates an incomplete response to your OIDC callback.

Based on my experience with Entra ID I think that you can just ignore the error. The important thing with admin consent is happening on the Entra ID side when the admin grants consent. Once the consent is granted and saved on the Entra ID side it doesn't matter if the login on your application is successful or not.

If you want further help on this I'm afraid we cannot help you. This is an issue about how Microsoft Entra ID interacts with the Microsoft OpenID Connect Handler.

merijndejonge commented 2 months ago

Thx. https://github.com/dotnet/aspnetcore/issues/55910

AndersAbel commented 2 months ago

I'm closing this issue here now and hope that you will get help from Microsoft on how to implement the admin consent flow.