Closed horststumpf closed 1 year ago
PKCE is critically important for security. I recommend that you re-enable it, unless you have a very specific reason for disabling it and understand your threat model.
There can sometimes be issues with parsing jwts caused by incompatibilities in versions some of microsoft's nuget packages related to jwts and identity (they aren't following semantic versioning conventions unfortunately). Try updating all such packages in the client application and see if that helps.
Hi,
thanks for your help.
I plan to activate the PKCE as soon as the login works.
I try follow to set the same packages versions
Duende Server - asp.net .net 6 same packages
The same error occurs.
Regards Horst-Dieter
Can you please share your project file for the client application?
Hi, a sample client is on https://github.com/horststumpf/IdentityTests
Regards Horst-Dieter
Hi i test more and check the log files.
The ".AddSecretValidator
System.InvalidOperationException: Unable to resolve service for type 'Duende.IdentityServer.Services.IReplayCache' while attempting to activate 'Duende.IdentityServer.Validation.PrivateKeyJwtSecretValidator'. at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateArgumentCallSites(Type implementationType, CallSiteChain callSiteChain, ParameterInfo[] parameters, Boolean throwIfCallSiteNotFound) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateConstructorCallSite(ResultCache lifetime, Type serviceType, Type implementationType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(ServiceDescriptor descriptor, Type serviceType, CallSiteChain callSiteChain, Int32 slot) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateEnumerable(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateArgumentCallSites(Type implementationType, CallSiteChain callSiteChain, ParameterInfo[] parameters, Boolean throwIfCallSiteNotFound) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateConstructorCallSite(ResultCache lifetime, Type serviceType, Type implementationType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(ServiceDescriptor descriptor, Type serviceType, CallSiteChain callSiteChain, Int32 slot) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(Type serviceType, CallSiteChain callSiteChain)\r\n at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateArgumentCallSites(Type implementationType, CallSiteChain callSiteChain, ParameterInfo[] parameters, Boolean throwIfCallSiteNotFound) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateConstructorCallSite(ResultCache lifetime, Type serviceType, Type implementationType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(ServiceDescriptor descriptor, Type serviceType, CallSiteChain callSiteChain, Int32 slot) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateArgumentCallSites(Type implementationType, CallSiteChain callSiteChain, ParameterInfo[] parameters, Boolean throwIfCallSiteNotFound) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateConstructorCallSite(ResultCache lifetime, Type serviceType, Type implementationType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(ServiceDescriptor descriptor, Type serviceType, CallSiteChain callSiteChain, Int32 slot) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.TryCreateExact(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.CreateCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteFactory.GetCallSite(Type serviceType, CallSiteChain callSiteChain) at Microsoft.Extensions.DependencyInjection.ServiceProvider.CreateServiceAccessor(Type serviceType) at System.Collections.Concurrent.ConcurrentDictionary
2.GetOrAdd(TKey key, Func2 valueFactory) at Microsoft.Extensions.DependencyInjection.ServiceProvider.GetService(Type serviceType, ServiceProviderEngineScope serviceProviderEngineScope) at Duende.IdentityServer.Hosting.EndpointRouter.GetEndpointHandler(Endpoint endpoint, HttpContext context) in /_/src/IdentityServer/Hosting/EndpointRouter.cs:line 52 at Duende.IdentityServer.Hosting.EndpointRouter.Find(HttpContext context) in /_/src/IdentityServer/Hosting/EndpointRouter.cs:line 39 at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 89 at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 117 at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 94 at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47 at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27 at IDP.IdentityServer.Middlewares.LoadTestAuthenticationMiddleware.InvokeAsync(HttpContext context, DataBaseContext dbContext, ITokenService tokenService) in /media/sdb/agents/lagent/_work/60/s/Daimler.IDP.IdentityServer/Middlewares/LoadTestAuthenticationMiddleware.cs:line 271", "exception": "Unable to resolve service for type 'Duende.IdentityServer.Services.IReplayCache' while attempting to activate 'Duende.IdentityServer.Validation.PrivateKeyJwtSecretValidator
Idd add the service reg: services.AddTransient<IReplayCache, DefaultReplayCache>(); so all works fine.
Next i test the PKCE
I have the follow Update Process
Follow Tests:
An unhandled exception occurred while processing the request. ArgumentNullException: IDX10000: The parameter 'json' cannot be a 'null' or an empty object. (Parameter 'json') Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage..ctor(string json) OpenIdConnectProtocolException: Failed to parse token response body as JSON. Status Code: 403. Content-Type: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest) Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
The CLient
`new Client { ClientId = Clients.LandingPageId, ClientName = "Open ID client - landing page", AllowedGrantTypes = GrantTypes.HybridAndClientCredentials, RequirePkce = false, ClientSecrets = { new Secret("spiritSecret".Sha256()) },
Asp.net app
services.AddAuthentication(options => { options.DefaultScheme = "Cookies"; options.DefaultChallengeScheme = "oidc"; }) .AddCookie("Cookies") .AddJwtBearer("Bearer", options => { options.Authority = applicationConfiguration.ServerAddresses.IdentityServer; options.RequireHttpsMetadata = false; options.Audience = ResourceScopes.LandingApi; }) .AddOpenIdConnect("oidc", options => { options.SignInScheme = "Cookies"; options.Authority = applicationConfiguration.ServerAddresses.IdentityServer; options.RequireHttpsMetadata = true; options.ClientId = Clients.LandingPageId; options.ClientSecret = "spiritSecret"; options.ResponseType = "code id_token"; options.UsePkce = false; options.Scope.Add("offline_access"); options.Scope.Add(ResourceScopes.LandingPage); options.Scope.Add(ResourceScopes.TokenResource); options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.UseTokenLifetime = true; options.Events.OnRedirectToIdentityProviderForSignOut += OnRedirectToIdentityProviderForSignOut; });