Issue with external authentication

[nhumby]

Which version of Duende IdentityServer are you using? 6.1

Which version of .NET are you using? .Net 7.0

Describe the bug I am setting up an external authentication using an on-premise ADFS server. When I click the button on the Duende IdentityServer login page to go to ADFS it does take me there and I am able to log in to ADFS. From there the ADFS server returns me to "/identity/signin-oidc". This gets a 302 response and is redirected to "/identity/ExternalLogin/Callback". This then displays an error message saying "Exception: External authentication error" and references line 45 of that Callback,cshtml.cs file. Looking at that file it's not immediately clear to me what has gone wrong or what I need to change to get it working?

public async Task<IActionResult> OnGet()
{
    // read external identity from the temporary cookie
    var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
    if (result?.Succeeded != true)
    {
        throw new Exception("External authentication error");
    }

I've pasted below the contents of the SeriLog file generated during the steps mentioned above, though I don't see anything there that helps me understand what needs to be fixed:

[13:35:16 Information] Duende.IdentityServer.Startup Starting Duende IdentityServer version 6.1.0+6f2cfe8cbe32c45c269d330d60da0016985fc99b (.NET 7.0.1)

[13:35:16 Debug] Duende.License The validated licence key details:

[13:35:16 Information] Duende.License You have a valid license key for the Duende software "Enterprise" edition

[13:35:16 Information] Duende.IdentityServer.Startup You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.

[13:35:16 Information] Duende.IdentityServer.Startup Using the default authentication scheme Identity.Application for IdentityServer

[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.Application as default ASP.NET Core scheme for authentication

[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.External as default ASP.NET Core scheme for sign-in

[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.External as default ASP.NET Core scheme for sign-out

[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.Application as default ASP.NET Core scheme for challenge

[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.Application as default ASP.NET Core scheme for forbid

[13:35:16 Information] Microsoft.Hosting.Lifetime Application started. Press Ctrl+C to shut down.

[13:35:16 Information] Microsoft.Hosting.Lifetime Hosting environment: Development

[13:35:16 Information] Microsoft.Hosting.Lifetime Content root path:

[13:35:16 Debug] Duende.IdentityServer.Startup Login Url: /Account/Login

[13:35:16 Debug] Duende.IdentityServer.Startup Login Return Url Parameter: ReturnUrl

[13:35:16 Debug] Duende.IdentityServer.Startup Logout Url: /Account/Logout

[13:35:16 Debug] Duende.IdentityServer.Startup ConsentUrl Url: /consent

[13:35:16 Debug] Duende.IdentityServer.Startup Consent Return Url Parameter: returnUrl

[13:35:16 Debug] Duende.IdentityServer.Startup Error Url: /home/error

[13:35:16 Debug] Duende.IdentityServer.Startup Error Id Parameter: errorId

[13:35:16 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.

[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.

[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Request path /.well-known/openid-configuration matched to endpoint type Discovery

[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Endpoint enabled: Discovery, successfully created handler: Duende.IdentityServer.Endpoints.DiscoveryEndpoint

[13:35:17 Information] Duende.IdentityServer.Hosting.IdentityServerMiddleware Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration

[13:35:17 Debug] Duende.IdentityServer.Endpoints.DiscoveryEndpoint Start discovery request

[13:35:17 Error] Duende.IdentityServer.Services.KeyManagement.KeyManager Error unprotecting key with kid 29AD4E83ACA0029C319654ED1D18DDE7. System.Security.Cryptography.CryptographicException: The key {dd3e9ed3-f47d-4c1b-9ea6-b77bd4d85a65} was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData) at Duende.IdentityServer.Services.KeyManagement.DataProtectionKeyProtector.Unprotect(SerializedKey key) in /_/src/IdentityServer/Services/Default/KeyManagement/DataProtectionKeyProtector.cs:line 56 at Duende.IdentityServer.Services.KeyManagement.KeyManager.b__200(SerializedKey x) in //src/IdentityServer/Services/Default/KeyManagement/KeyManager.cs:line 435

[13:35:17 Information] Duende.IdentityServer.Services.KeyManagement.KeyManager Active signing key found with kid F4D149FDFCA876E62909ECBE173C2FC6 for alg RS256. Expires in "74.01:39:47". Retires in "88.01:39:47"

[13:35:17 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/.well-known/openid-configuration responded 200 in 401.3436 ms

[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.

[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.

[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery

[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Endpoint enabled: Discovery, successfully created handler: Duende.IdentityServer.Endpoints.DiscoveryKeyEndpoint

[13:35:17 Information] Duende.IdentityServer.Hosting.IdentityServerMiddleware Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks

[13:35:17 Debug] Duende.IdentityServer.Endpoints.DiscoveryKeyEndpoint Start key discovery request

[13:35:17 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/.well-known/openid-configuration/jwks responded 200 in 40.6819 ms

[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.

[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.

[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Request path /connect/authorize matched to endpoint type Authorize

[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Endpoint enabled: Authorize, successfully created handler: Duende.IdentityServer.Endpoints.AuthorizeEndpoint

[13:35:17 Information] Duende.IdentityServer.Hosting.IdentityServerMiddleware Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.AuthorizeEndpoint for /connect/authorize

[13:35:17 Debug] Duende.IdentityServer.Endpoints.AuthorizeEndpoint Start authorize request

[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.

[13:35:17 Debug] Duende.IdentityServer.Endpoints.AuthorizeEndpoint No user present in authorize request

[13:35:17 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Start authorize request protocol validation

[13:35:17 Debug] Duende.IdentityServer.Stores.ValidatingClientStore client configuration validation for client succeeded.

[13:35:17 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Checking for PKCE parameters

[13:35:17 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator

[13:35:17 Debug] Duende.IdentityServer.Endpoints.AuthorizeEndpoint ValidatedAuthorizeRequest

[13:35:17 Information] Duende.IdentityServer.ResponseHandling.AuthorizeInteractionResponseGenerator Showing login: User is not authenticated [13:35:17 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/connect/authorize?client_id=&redirect_uri=&response_type=code&scope=openid%20profile%20offline_access%20&code_challenge=XXKBbU27WVop3PuNh5Debghle3s5hWvIpxiCqOFTVyM&code_challenge_method=S256&state=OpenIdConnect.AuthenticationProperties%3DzxxCe-UpHdTTodXcWfg_vz2z3l7h1MJ77H87UJCZhSQf8CftHVUBgD7aCgXYX3tCxP2n5g296gDfFeAULCFm9O6Fj6MVI_JcWD9KBN41auXLNxddRf31wD5z65JW6osXF2OKPjGge2S0jz_d7y56dyqzFmZOj8T_YGl6U04XZcv1Shg7bCmR0Tg8OKMLc01Th9rJiv0jxInnpp7wJuciwcdU-lB6Qkf8zHcTid4qg5z_8USXVA-6SdpSkJoDGOi7iCf0ENgNItcdeUl51XZGjFnRulTB8V9NyOSlt71QCUx_D2NRzk0xH5JAvR9rrPXR&response_mode=form_post&nonce=638108553175508176.MmU1MjNjMmEtMTBjYi00MmFmLWI0MjgtNGFiMDJkMzA2MGFkMTU5ZTMwMjktN2UyOS00ODE2LWFlMDYtMGE1NjNiNmRlMDU3&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0 responded 302 in 319.6046 ms [13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated. [13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated. [13:35:18 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated. [13:35:18 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Start authorize request protocol validation [13:35:18 Debug] Duende.IdentityServer.Stores.ValidatingClientStore client configuration validation for client succeeded. [13:35:18 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Checking for PKCE parameters [13:35:18 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator [13:35:18 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/Account/Login?ReturnUrl=%2Fidentity%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3D%26redirect_uri%3D%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520offline_access%2520%26code_challenge%3DXXKBbU27WVop3PuNh5Debghle3s5hWvIpxiCqOFTVyM%26code_challenge_method%3DS256%26state%3DOpenIdConnect.AuthenticationProperties%253DzxxCe-UpHdTTodXcWfg_vz2z3l7h1MJ77H87UJCZhSQf8CftHVUBgD7aCgXYX3tCxP2n5g296gDfFeAULCFm9O6Fj6MVI_JcWD9KBN41auXLNxddRf31wD5z65JW6osXF2OKPjGge2S0jz_d7y56dyqzFmZOj8T_YGl6U04XZcv1Shg7bCmR0Tg8OKMLc01Th9rJiv0jxInnpp7wJuciwcdU-lB6Qkf8zHcTid4qg5z_8USXVA-6SdpSkJoDGOi7iCf0ENgNItcdeUl51XZGjFnRulTB8V9NyOSlt71QCUx_D2NRzk0xH5JAvR9rrPXR%26response_mode%3Dform_post%26nonce%3D638108553175508176.MmU1MjNjMmEtMTBjYi00MmFmLWI0MjgtNGFiMDJkMzA2MGFkMTU5ZTMwMjktN2UyOS00ODE2LWFlMDYtMGE1NjNiNmRlMDU3%26x-client-SKU%3DID_NET461%26x-client-ver%3D5.3.0.0 responded 200 in 137.7757 ms [13:35:18 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/css/site.css responded 200 in 5.7739 ms [13:35:18 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/Logo120x120.png responded 200 in 8.1790 ms [13:35:18 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/lib/bootstrap4-glyphicons/css/bootstrap-glyphicons.min.css responded 200 in 10.4015 ms [13:35:18 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/lib/bootstrap/dist/css/bootstrap.min.css responded 200 in 14.3644 ms [13:35:18 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/lib/bootstrap/dist/js/bootstrap.bundle.min.js responded 200 in 11.5451 ms [13:35:18 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/lib/jquery/dist/jquery.slim.min.js responded 200 in 14.5905 ms [13:35:18 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/favicon.ico responded 200 in 2.2423 ms [13:35:20 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated. [13:35:20 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated. [13:35:21 Debug] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler HandleChallenge with Location: https://uktest.local/adfs/oauth2/authorize/?client_id=ADFSviaIdentityServer6_3&redirect_uri=https%3A%2F%2Flocalhost%2Fidentity%2Fsignin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=638108553215335536.ZTY4M2ZiYTQtMzlkZi00MWJiLThhNzgtYWIwMGUyNGRmNGZjMjJmNDA1ZTgtOTFiYy00ZTEwLWI0ZjktZGMzOWYxZTYwZDc2&state=CfDJ8KfzUXZy14RAlU8p4ZepU6p2pOzMMIWT_jmab0kip-NRYYJVKn8JXkxq4sILp2LEglMf8xSuctwd4y8as_8JyWvG_SgGBh74xajjx2cxea-U2NI32FceUHVuSc5eeFLNU7zDkSCLRI9IaJuN0aJ6vqzfEWto3JUlMGo8EFGMJfrnX-vhPDAZD9VMVNlwkV09C3eI2czcqElIqdBROwXHctu4YFxC2bJv4dAVDed7Y8NcAku4JNOx0ZOz3rf4vh1HLrm3AFe-W6k45bBztjKUEOjSUJuWHm5TTKrzIRF9jOXlye96Ange16SA6_CfdqtRqDCci9k4D4RKEbtSgtwmiy_QzPWzJMwYKmuut5OfKMjh3TKYEEFDpgbmXlnU6n7-iJfchg8EI8L2FRRFyCUdScA_HtHmngwpoNMGTuovi76mBHTaZuCLz8kstz_ZwMRdMf1WSuUPg_iytgpyob0J1UWZIDm1TNAI1wfi6YPfqy16agtj4wM7FptRdIqM7UxCx8SVTQsZWtbs-oudEBp9fFnqH10G4MlFNeZevcNjqr26AJja0Dni6HQlp8HZfbGneYpCzfMqPZyRta2kgg061BLTcmy0mJsQS9tgUSPdud9o5bHvJsGIpBxTufgK2uBJmA1E5owOMEHz6qJh5QAmjOj6-dow-6SuxLa--nCZp3MqGOh5Bba7qycTPft-C5itgO7gh46ymzIqJgaIX3z3S_RSu6LdRqaAWlzfEvqxzm0ehVXgEPp3CSctPy15f-DwQBeHXtWPJMoAu0c8rqc2pnP4tKLpKNiW1lSgXotw5eZ3ICy0jnfM3M2Rxza3xsB9BJ2aaPo7Rv47Ei7R6ICiJLLSDJr9DIrxkE1LSK-NSJZ4EhPweyq5KKzSwrFx5pwkM0PQCYxU_j9DbeU7qyoa308sRtGbnyg66XnKRjcCaiqKqt6Km_83jnZvUsrjank2ek8B5tBz0nFAmoECAtUyY0VbROvmwH_-yNETG0_v33JOlDC4BZlXjA8ixjMjSVFq5vOx4ZbcC1cKbFCDYh2yQ8neeIUo7ihYSQg70heSDIqDwHEmCYKVb2onEDPgMkondMQOmLolugB3ehqghnfhIrKBiMChQ6vpHeWlsk6Li9xLS_4fvO-ASevm0uFOim31vwyk5f4d1xJAfAmsVeXoEXRrWUHxwWQ7x6ephhhAQkqXgw5D2mM2-Ght5EmeUphDzQMIFk1TieGPX8iI1Sd6pJeo6DBfzr2dgwggEqwjWzP6ftZq1fixZSckGidQbkduWXykjUf97cods5omHkKIBYJC1sgOGjiydHeIsojHFFScDdgRu-d7doW7UUjqdGBPHuvWJHUrAxn7ino7EChfzkllh5NyIfy0YC1s4dg9t0S7HKk8sxUpf_M_IvNv2e6QxUIJUVMl1XuHipsRxC5qjc5Zv19LZqh-NoYae3o2_Ap_j19VRJN6WKMDLwadxJy7gyzRtCOqvKyj7rzdhhI138T8B2Cxgc0up67fH_0vB_vGKrWfRZv3h1GHlAga-X7ONhXVYrrFOQKVdGLIU7KUwc0&x-client-SKU=ID_NET6_0&x-client-ver=6.21.0.0; and Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8KfzUXZy14RAlU8p4ZepU6qWqSIgM8449vMP7yzezZ7CQs-sbRmIGBBb8g1oYaXV168iUf7HB81hHOuS9dCbHgZecJNG4mZgF3-UfN1n7uUq8IDkkZcFre9zZa7oWiQD8kmJitxfkCcmRo6aZ8RZ0VNmve8U3Ft8QKpDc7LlQtzJ4HKygO68qc3otsMVYLHFTI9tkQKsQgLUG11kvuxg8mrL4TJjlQSSncv5i8ugv8KQEgNVYa13dZ_JHqmxQzBbQvLAgVyVCmmD1VX9OiPwDYI=N; expires=Wed, 01 Feb 2023 13:50:21 GMT; path=/identity/signin-oidc; secure; samesite=none; httponly,.AspNetCore.Correlation.GwoNL4sltK6HhnquNqdD8V9YwxeUFgnGreXxWDSOQ7M=N; expires=Wed, 01 Feb 2023 13:50:21 GMT; path=/identity/signin-oidc; secure; samesite=none; httponly. [13:35:21 Information] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler AuthenticationScheme: ADFS2 was challenged. [13:35:21 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/ExternalLogin/Challenge?scheme=ADFS2&returnUrl=%2Fidentity%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3D%26redirect_uri%3D%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520offline_access%2520%26code_challenge%3DXXKBbU27WVop3PuNh5Debghle3s5hWvIpxiCqOFTVyM%26code_challenge_method%3DS256%26state%3DOpenIdConnect.AuthenticationProperties%253DzxxCe-UpHdTTodXcWfg_vz2z3l7h1MJ77H87UJCZhSQf8CftHVUBgD7aCgXYX3tCxP2n5g296gDfFeAULCFm9O6Fj6MVI_JcWD9KBN41auXLNxddRf31wD5z65JW6osXF2OKPjGge2S0jz_d7y56dyqzFmZOj8T_YGl6U04XZcv1Shg7bCmR0Tg8OKMLc01Th9rJiv0jxInnpp7wJuciwcdU-lB6Qkf8zHcTid4qg5z_8USXVA-6SdpSkJoDGOi7iCf0ENgNItcdeUl51XZGjFnRulTB8V9NyOSlt71QCUx_D2NRzk0xH5JAvR9rrPXR%26response_mode%3Dform_post%26nonce%3D638108553175508176.MmU1MjNjMmEtMTBjYi00MmFmLWI0MjgtNGFiMDJkMzA2MGFkMTU5ZTMwMjktN2UyOS00ODE2LWFlMDYtMGE1NjNiNmRlMDU3%26x-client-SKU%3DID_NET461%26x-client-ver%3D5.3.0.0 responded 302 in 1353.5799 ms [13:35:27 Debug] Duende.IdentityServer.Hosting.CorsPolicyProvider CORS request made for path: /signin-oidc from origin: https://uktest.local but was ignored because path was not for an allowed IdentityServer CORS endpoint [13:35:27 Debug] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler Updating configuration [13:35:27 Debug] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler Received 'id_token' [13:35:27 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.External signed in. [13:35:27 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP POST /identity/signin-oidc responded 302 in 39.6220 ms [13:35:27 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated. [13:35:27 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated. [13:35:27 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: idsrv.external was not authenticated. [13:35:27 Error] Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware An unhandled exception has occurred while executing the request. System.Exception: External authentication error at .Pages.ExternalLogin.Callback.OnGet() in Identity\Pages\ExternalLogin\Callback.cshtml.cs:line 45 at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.GenericTaskHandlerMethod.Convert[T](Object taskAsObject) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.GenericTaskHandlerMethod.Execute(Object receiver, Object[] arguments) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethodAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeNextPageFilterAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Rethrow(PageHandlerExecutedContext context) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeInnerFilterAsync() at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Routing.EndpointMiddleware.g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 116 at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 94 at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47 at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27 at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context) [13:35:27 Error] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/ExternalLogin/Callback responded 500 in 59.2742 ms

[josephdecock]

The logs show that you successfully externally authenticate and this signs you in to the "Identity.External" scheme. The external login callback is trying to use a different cookie scheme, and so it is failing to read the Identity.External cookie.

You can solve this by changing the external login callback's code to use the scheme you logged in to:

var result = await HttpContext.AuthenticateAsync("Identity.External");

[nhumby]

That fixed it, thank you. What made it come back as "Identity.External" rather than the expected "idsrv.external"? Is this Callback page also the best place to modify the claims transformation that takes place from external claims to Identity Server claims?

[josephdecock]

What made it come back as "Identity.External"

I saw in your logs that Identity.External has been set as the default sign in scheme, which means that when the external identity provider starts a session, it is going to use the Identity.External scheme. You probably have code like this:

builder.Services
  .AddAuthentication(opt => 
    opt.DefaultSignInScheme = "Identity.External";
    // ... maybe more auth options
  )
  .AddCookie("Identity.External", opt => { /* cookie handler options ... */ })
  // ... maybe more handlers

Is this Callback page also the best place to modify the claims transformation that takes place from external claims to Identity Server claims?

Yes, that's exactly the intended purpose of the callback page. We recommend this pattern of creating a page to do the mapping from external to internal users because it gives you a place where you can perform user interaction (if you've never seen this external user, you need to onboard them, and that might require a UI), and because it is convenient to inject dependencies and test.

[josephdecock]

Any update here? Can we close this issue?