Closed shashwatsingh closed 1 year ago
You need to use distinct CallbackPath, RemoteSignOutPath, and SignedOutCallbackPath for each different handler/scheme. This is due to how the Microsoft implementation works for the OIDC handlers (and is unrelated to IdentityServer). Are you missing those?
That was it, thank you. Here's the configuration that works for both schemes:
builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect("idp1", "Login using idp1",options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.Authority = "https://login.microsoftonline.com/tenant1/v2.0";
options.ClientId = "...";
options.ClientSecret = "...";
options.CallbackPath = "/signin-oidc-idp1";
options.RemoteSignOutPath = "/signout-callback-oidc-idp1";
options.SignedOutCallbackPath = "/signout-oidc-idp1";
})
.AddOpenIdConnect("idp2", "Login using idp2",options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.Authority = "https://login.microsoftonline.com/tenant2/v2.0";
options.ClientId = "...";
options.ClientSecret = "...";
options.CallbackPath = "/signin-oidc-idp2";
options.RemoteSignOutPath = "/signout-callback-oidc-idp2";
options.SignedOutCallbackPath = "/signout-oidc-idp2";
})
Do you think it will be useful to add a note about "every occurrence of OIDC handler (of same type) requires unique callback paths" here: https://docs.duendesoftware.com/identityserver/v6/ui/login/external/#registering-authentication-handlers-for-external-providers? If yes, I can submit a PR.
Do you think it will be useful to add a note about "every occurrence of OIDC handler (of same type) requires unique callback paths" here: https://docs.duendesoftware.com/identityserver/v6/ui/login/external/#registering-authentication-handlers-for-external-providers? If yes, I can submit a PR.
@josephdecock, thoughts?
@shashwatsingh, that makes sense to me - thanks a lot!
Which version of Duende IdentityServer are you using? v6.3.0
Which version of .NET are you using? 6.0
Describe the bug Already searched issues in this repo and official docs.
My problem is this:
Using multiple external authentication oidc schemes having same SignInScheme works for idp1 but fails for idp2: it fails to decrypt
state
parameter for idp2 (because it is using theIDataProtector
for idp1?)To Reproduce Use the starter for microsoft identity and add two different azure-ad tenants similar to https://docs.duendesoftware.com/identityserver/v6/ui/login/external/#state-url-length-and-isecuredataformat.
Also configured DataProtector:
Then login using idp2.
Expected behavior
state parameter should be decoded using the respective data protector, and login should succeed.
Log output/exception with stacktrace