search

DuendeSoftware / Support

Support for Duende Software products
21 stars 0 forks source link

After Update to Duende Server - the asp.net show a error - "An unhandled exception occurred while processing the request." #404

Closed horststumpf closed 1 year ago

horststumpf commented 1 year ago

I have the follow Update Process

Follow Tests:

  1. IdentityServer 3.1.2 - asp.net .net 3.1 core - OK
  2. IdentityServer 3.1.2 - asp.net .net 6 - OK
  3. Duende Server 6.2.0 - asp.net .net 3.1 core - Error
    • in the Loggfile
      • checking for PKCS Parameters
      • code_challange is missing
  4. Duende Server 6.2.0 Add RequirePkce = false - asp.net .net 3.1 core - Error

An unhandled exception occurred while processing the request. ArgumentNullException: IDX10000: The parameter 'json' cannot be a 'null' or an empty object. (Parameter 'json') Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage..ctor(string json) OpenIdConnectProtocolException: Failed to parse token response body as JSON. Status Code: 403. Content-Type: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest) Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()

  1. Duende Server 6.2.0 Add RequirePkce = false - asp.net .net 6 - same Error as 4.

The CLient

`new Client { ClientId = Clients.LandingPageId, ClientName = "Open ID client - landing page", AllowedGrantTypes = GrantTypes.HybridAndClientCredentials, RequirePkce = false, ClientSecrets = { new Secret("spiritSecret".Sha256()) },

            #region aws http

            RedirectUris =
            {
                $"{config.ServerAddresses.Landing}/signin-oidc"
            },
            // where to redirect to after logout 
            PostLogoutRedirectUris =
            {
                $"{config.ServerAddresses.Landing}/signout-callback-oidc"
            },

            #endregion

            AllowedScopes = new List<string>
            {
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile,
                IdentityServerConstants.StandardScopes.Address,
                IdentityServerConstants.StandardScopes.Email,
                IdentityServerConstants.StandardScopes.OfflineAccess,
                IdentityServerConstants.StandardScopes.Phone,
                "role",
                ResourceScopes.LandingPage,
                ResourceScopes.TokenResource
            },
            AllowOfflineAccess = true,
            RequireConsent = false,
            AlwaysIncludeUserClaimsInIdToken = true,
            AlwaysSendClientClaims = true,
            AbsoluteRefreshTokenLifetime = 3600, //default - 30 days 
        };`

Asp.net app

services.AddAuthentication(options => { options.DefaultScheme = "Cookies"; options.DefaultChallengeScheme = "oidc"; }) .AddCookie("Cookies") .AddJwtBearer("Bearer", options => { options.Authority = applicationConfiguration.ServerAddresses.IdentityServer; options.RequireHttpsMetadata = false; options.Audience = ResourceScopes.LandingApi; }) .AddOpenIdConnect("oidc", options => { options.SignInScheme = "Cookies"; options.Authority = applicationConfiguration.ServerAddresses.IdentityServer; options.RequireHttpsMetadata = true; options.ClientId = Clients.LandingPageId; options.ClientSecret = "spiritSecret"; options.ResponseType = "code id_token"; options.UsePkce = false; options.Scope.Add("offline_access"); options.Scope.Add(ResourceScopes.LandingPage); options.Scope.Add(ResourceScopes.TokenResource); options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.UseTokenLifetime = true; options.Events.OnRedirectToIdentityProviderForSignOut += OnRedirectToIdentityProviderForSignOut; });

josephdecock commented 1 year ago

PKCE is critically important for security. I recommend that you re-enable it, unless you have a very specific reason for disabling it and understand your threat model.

There can sometimes be issues with parsing jwts caused by incompatibilities in versions some of microsoft's nuget packages related to jwts and identity (they aren't following semantic versioning conventions unfortunately). Try updating all such packages in the client application and see if that helps.

horststumpf commented 1 year ago

Hi,

thanks for your help.

I plan to activate the PKCE as soon as the login works.

I try follow to set the same packages versions

Duende Server - asp.net .net 6 same packages

The same error occurs.

Regards Horst-Dieter

josephdecock commented 1 year ago

Can you please share your project file for the client application?

horststumpf commented 1 year ago

Hi, a sample client is on https://github.com/horststumpf/IdentityTests

Regards Horst-Dieter

horststumpf commented 1 year ago

Hi i test more and check the log files. The ".AddSecretValidator()" raise a error. the error in logfile:

System.InvalidOperationException: Unable to resolve service for type 'Duende.IdentityServer.Services.IReplayCache' while attempting to activate 'Duende.IdentityServer.Validation.PrivateKeyJwtSecretValidator'. at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateArgumentCallSites(Type implementationType, CallSiteChain callSiteChain, ParameterInfo[] parameters, Boolean throwIfCallSiteNotFound) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateConstructorCallSite(ResultCache lifetime, Type serviceType, Type implementationType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(ServiceDescriptor descriptor, Type serviceType, CallSiteChain callSiteChain, Int32 slot) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateEnumerable(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateArgumentCallSites(Type implementationType, CallSiteChain callSiteChain, ParameterInfo[] parameters, Boolean throwIfCallSiteNotFound) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateConstructorCallSite(ResultCache lifetime, Type serviceType, Type implementationType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(ServiceDescriptor descriptor, Type serviceType, CallSiteChain callSiteChain, Int32 slot) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(Type serviceType, CallSiteChain callSiteChain)\r\n at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateArgumentCallSites(Type implementationType, CallSiteChain callSiteChain, ParameterInfo[] parameters, Boolean throwIfCallSiteNotFound) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateConstructorCallSite(ResultCache lifetime, Type serviceType, Type implementationType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(ServiceDescriptor descriptor, Type serviceType, CallSiteChain callSiteChain, Int32 slot) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateArgumentCallSites(Type implementationType, CallSiteChain callSiteChain, ParameterInfo[] parameters, Boolean throwIfCallSiteNotFound) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateConstructorCallSite(ResultCache lifetime, Type serviceType, Type implementationType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(ServiceDescriptor descriptor, Type serviceType, CallSiteChain callSiteChain, Int32 slot) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.GetCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceProvider.CreateServiceAccessor(Type serviceType) at System.Collections.Concurrent.ConcurrentDictionary2.GetOrAdd(TKey key, Func2 valueFactory) at Microsoft.Extensions.DependencyInjection.ServiceProvider.GetService(Type serviceType, ServiceProviderEngineScope serviceProviderEngineScope) at Duende.IdentityServer.Hosting.EndpointRouter.GetEndpointHandler(Endpoint endpoint, HttpContext context) in /_/src/IdentityServer/Hosting/EndpointRouter.cs:line 52 at Duende.IdentityServer.Hosting.EndpointRouter.Find(HttpContext context) in /_/src/IdentityServer/Hosting/EndpointRouter.cs:line 39 at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 89 at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 117 at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 94 at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47 at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27 at IDP.IdentityServer.Middlewares.LoadTestAuthenticationMiddleware.InvokeAsync(HttpContext context, DataBaseContext dbContext, ITokenService tokenService) in /media/sdb/agents/lagent/_work/60/s/Daimler.IDP.IdentityServer/Middlewares/LoadTestAuthenticationMiddleware.cs:line 271", "exception": "Unable to resolve service for type 'Duende.IdentityServer.Services.IReplayCache' while attempting to activate 'Duende.IdentityServer.Validation.PrivateKeyJwtSecretValidator

horststumpf commented 1 year ago

Idd add the service reg: services.AddTransient<IReplayCache, DefaultReplayCache>(); so all works fine.

Next i test the PKCE