search

DuendeSoftware / Support

Support for Duende Software products
20 stars 0 forks source link

Incompatible versions causing OIDC to produce hard to find errors. #1391

Open attilah opened 2 weeks ago

attilah commented 2 weeks ago

Which version of Duende IdentityServer are you using?

Latest 7.0

Which version of .NET are you using?

.NET 8.0

Describe the bug

We configured an OIDC provider with BFF and Yarp just as in the JsBFFYarpSample and while the sample was working correctly our app was not. The error is that the well known document was not parsed correctly and code exchange backchannel call failed as TokenEndpoint was empty.

I was able to narrow it down to Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever which is using Microsoft.IdentityModel.Protocols.OpenIdConnect..OpenIdConnectConfigurationSerializer. The serializer is using Microsoft.IdentityModel.Tokens.Json.JsonSerializerPrimitives from Microsoft.IdentityModel.Tokens package.

Latest IdentityServer with WilsonVersion pulls in the 7.1.2 version of the Microsoft.IdentityModel.Tokens package and if someone is implicitly or explitly using a 8.x version of the same package in the project, the error will happen due to the incompatibility between the 7.x and 8.x version of the serializer.

To Reproduce

  1. Create a console application repro.csproj

    
<Project Sdk="Microsoft.NET.Sdk">

<PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
</PropertyGroup>

<ItemGroup>
  <PackageReference Include="Duende.AccessTokenManagement.OpenIdConnect" Version="3.0.0" />
</ItemGroup>


Program.cs
```csharp
using Microsoft.IdentityModel.Protocols.OpenIdConnect;

var json = await OpenIdConnectConfigurationRetriever.GetAsync("https://demo.duendesoftware.com/.well-known/openid-configuration", CancellationToken.None);

Console.WriteLine($"TokenEndpoint: '{json.TokenEndpoint}'");

The app works correctly and outputs:

TokenEndpoint: 'https://demo.duendesoftware.com/connect/token'

Now add a direct dependency to the tokens package:

<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.0.2" />

The output will be:

TokenEndpoint: ''

Pulling in the matching 8.0.2 version of Microsoft.IdentityModel.Protocols.OpenIdConnect 8.0.2 solves the problem, but it is cumbersome and not easy to find, the very same issue is causing #2523 as well (but that's not IDS problem).

Expected behavior

When using Identity Server packages with standard ASP.NET Core packages OpenId authentication with Identity Server works correctly. By updating WilsonVersion in Identity Server and adding a direct reference to Microsoft.IdentityModel.Tokens would solve it.

RolandGuijt commented 1 week ago

The functionality of "Wilson" (Microsoft.IdentityModel.*) is split up across multiple NuGet packages. Within one project the versions of these packages must be exactly the same. That also goes for the references other used packages might have. NuGet doesn't enforce this but we've created a document that might help.

Can you please try the suggestions in there and report back?

RolandGuijt commented 1 day ago

@attilah Did this help? Would you like to add anything to this issue? If not I'd like to close it.