Closed chernihiv closed 4 years ago
In addition,
I have custom implementation of IMultiTenantStrategy
interface and in case when step
5. https://localhost:44380/signin-oidc?...
is occurred, I do not know current Tenant, so my GetIdentifierAsync
returns NULL
.
I noticed that in such case default RemoteAuthenticationStrategy.GetIdentifierAsync
is called, but since request doesn't contain state
it leads to NullReference
.
I decided hard-code and return proper ID
, now RemoteAuthenticationStrategy.GetIdentifierAsync
is not called, however, result the same as above:
On MessageReceived
event of OpenIdConnectEvents
is occurred with
ProtocolMessage.Error = "access_denied"
ProtocolMessage.Description = "user not allowed access to app"
On RemoteFailure
event of OpenIdConnectEvents
is occurred with
Correlation failed.
Maybe it makes sense to fix NullReference
in the following way:
var properties = oAuthOptions?.StateDataFormat.Unprotect(state) ??
openIdConnectOptions?.StateDataFormat.Unprotect(state);
if (properties == null)
{
return null;
}
if (properties.Items.Keys.Contains("tenantIdentifier"))
{
return properties.Items["tenantIdentifier"] as string;
}
My workaround is:
From perspective of Finbuckle.MultiTenant
Fixed null reference exception in RemoteAuthenticationStrategy
From perspective of MyProject
Overrode MessageReceived
of OpenIdConnectEvents
as:
public override Task MessageReceived(MessageReceivedContext context)
{
if (context?.ProtocolMessage?.Error != null)
{
context.Response.Redirect($"/error?message={context.ProtocolMessage.Error}&title={context.ProtocolMessage.ErrorDescription}");
context.HandleResponse();
}
return base.MessageReceived(context);
}
hi @chernihiv thanks for reporting this and providing all the details. I think you have a good approach here. Curious, does Okta or others return the state when access is denied? Any way to get Idaptive to return it? I need to check the OpenId Connect specs on that.
I agree with your fix on the RemoteAuthenticationStrategy -- I am just about to release 5.0, but do you want to submit a PR real quick with your null reference fix? If not I can add it later today.
@chernihiv
I am going to go ahead and put in a null check and log a warning if that condition occurs. I checked the OpenID Connect spec here and section 3.1.2.6 (and the OAuth 2.0 spec if references) say that a state response parameter is REQUIRED if one was passed. You might want to log this as an issue with Idaptive.
I did integration with
Idaptive
external provider and started to receiveMultiTenantException
when user has not got access to application (permissions to app of idaptive).Most likely is't not connected
Finbuckle.MultiTenant
implementation. It might be either my configuration or implementation of OpenIdConnect on Idaptive side. But, anyway, decided to create an issue.What I do,
Challenge
on myoidc
scheme is occurred and I can see challenge request in my browser/fiddler with correct request data (includingstate
)and receive the following exception
Non of
OpenIdConnectEvents
events is occurred to handle properly response. WhenRemoteAuthenticationStrategy.GetIdentifierAsync
is triggered, my request does not containstate
, that's whyproperties
is null andNullReferenceException
exception is occurred.I tried to fix
NullReferenceException
inRemoteAuthenticationStrategy
, just return null insteadtenantIdentifier
, thereforeOn MessageReceived
event ofOpenIdConnectEvents
is occurred withOn RemoteFailure
event ofOpenIdConnectEvents
is occurred withSystem info: Finbuckle.MultiTenant 3.2.0 .NET Core 2.2 (latest)