search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

Repeating Start Authorize Requests #3119

Closed tracsorenson closed 8 years ago

tracsorenson commented 8 years ago

What would trigger a loop of Start authorize request for the same subject until it culminates in: [Error] "Check session endpoint enabled, but SessionId is missing" The Identity Server log recorded continuous Start authorize requests almost every second for 40 seconds until it finally recorded the error. I am using the Windows Authentication plugin. I have an [Authorize] attribute on the web portal controller and using mvc hybrid flow. Using Identity Server version 2.5

### Identity Server Config

        public void Configuration(IAppBuilder appBuilder)
        {
            appBuilder.Map("/windows", ConfigureWindowsTokenProvider);

            var factory = new IdentityServerServiceFactory()
                .UseInMemoryClients(Clients.Get())
                .UseInMemoryScopes(Scopes.Get());

            factory.ConfigureMaskUserService(MaskDBConnection.GetConnection());

            var options = new IdentityServerOptions
            {
                SiteName = "Identity Server (Mask Technology Center)",
                SigningCertificate = Certificate.Load(),
                Factory = factory,
                AuthenticationOptions = new AuthenticationOptions
                {
                    EnableLocalLogin = false,
                    IdentityProviders = ConfigureIdentityProviders,
                    EnableAutoCallbackForFederatedSignout = true,
                },
            };

            appBuilder.UseIdentityServer(options);

        }

        private static void ConfigureWindowsTokenProvider(IAppBuilder app)
        {
            app.UseWindowsAuthenticationService(new WindowsAuthenticationOptions
            {
                IdpReplyUrl = HostConstants.WASReplyUrl,
                SigningCertificate = Certificate.Load(),
                EnableOAuth2Endpoint = false
            });
        }

        private void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
        {
            var wsFederation = new WsFederationAuthenticationOptions
            {
                AuthenticationType = "windows",
                Caption = "Windows",
                SignInAsAuthenticationType = signInAsType,

                MetadataAddress = HostConstants.WSFedMetadataAddress,
                Wtrealm = "urn:idsrv3",

                Notifications = new WsFederationAuthenticationNotifications
                {
                    // ignore signout requests (we can't sign out of Windows)
                    RedirectToIdentityProvider = n =>
                    {
                        if (n.ProtocolMessage.IsSignOutMessage)
                        {
                            // tell IdentityServer to manage the sign out instead of the Windows provider
                            n.OwinContext.Authentication.SignOut();
                            n.HandleResponse();
                        }

                        return Task.FromResult(0);
                    }
                }
            };
            app.UseWsFederationAuthentication(wsFederation);
        }

### First of repeating Authorize Requests (all successful)
2016-08-03 18:01:29 [Information] Start authorize request
2016-08-03 18:01:29 [Information] Start authorize request protocol validation
2016-08-03 18:01:29 [Information] "Authorize request validation success"
 "{
  \"ClientId\": \"mask\",
  \"ClientName\": \"Mask Technology Center\",
  \"RedirectUri\": \"https://bowvmask03.xxx.com/mask/\",
  \"AllowedRedirectUris\": [
    \"https://localhost:44300/\",
    \"https://bowvmask03.xxx.com/masktst/\",
    \"https://bowvmask03.xxx.com/mask/\"
  ],
  \"SubjectId\": \"cf808a80-1ab1-47cc-a5e1-a9a8ab0a75f9\",
  \"ResponseType\": \"code id_token\",
  \"ResponseMode\": \"form_post\",
  \"Flow\": \"Hybrid\",
  \"RequestedScopes\": \"openid email roles micuser status ships waiver edc workorder offline_access\",
  \"State\": \"OpenIdConnect.AuthenticationProperties=ts4-ZNuVJUnheJ_mxNylZ1B6jjR0qwYCDXcvE_4MvZMeTovWTJmwh1YDvOEeQIMlLs6wFlDd4KmNFuYfPSI5nnC4EToBxXBtv1awycoZt2BJMn4wTmpKKRzKw_YF110ZLd_Aq0OM8ab50Kf2YmhU6rohfwJMtFCRdpg_K0-v4OomP81_dfSX4el2l9-ppOHxt5NuMCCCfQWAUrr2j5OVeeV3o2QpGnGcqmbF5kOOScencNvmYCcG8sB7UBDwdHcY\",
  \"Nonce\": \"636058656860010500.MDYwYzVhNTktZmNhZS00MTI4LThiMWEtM2JmYzEyMTQ5ZDU1NDNlMjY2MjEtM2Q3OS00NDY2LTg4ODQtNmZmMDM5NDBkZTRj\",
  \"SessionId\": \"3bbbccb879e8da39ae557306800e61eb\",
  \"Raw\": {
    \"client_id\": \"mask\",
    \"redirect_uri\": \"https://bowvmask03.xxx.com/mask/\",
    \"response_mode\": \"form_post\",
    \"response_type\": \"code id_token\",
    \"scope\": \"openid email roles micuser status ships waiver edc workorder offline_access\",
    \"state\": \"OpenIdConnect.AuthenticationProperties=ts4-ZNuVJUnheJ_mxNylZ1B6jjR0qwYCDXcvE_4MvZMeTovWTJmwh1YDvOEeQIMlLs6wFlDd4KmNFuYfPSI5nnC4EToBxXBtv1awycoZt2BJMn4wTmpKKRzKw_YF110ZLd_Aq0OM8ab50Kf2YmhU6rohfwJMtFCRdpg_K0-v4OomP81_dfSX4el2l9-ppOHxt5NuMCCCfQWAUrr2j5OVeeV3o2QpGnGcqmbF5kOOScencNvmYCcG8sB7UBDwdHcY\",
    \"nonce\": \"636058656860010500.MDYwYzVhNTktZmNhZS00MTI4LThiMWEtM2JmYzEyMTQ5ZDU1NDNlMjY2MjEtM2Q3OS00NDY2LTg4ODQtNmZmMDM5NDBkZTRj\"
  }
}"
2016-08-03 18:01:29 [Information] Creating Hybrid Flow response.
2016-08-03 18:01:29 [Information] Creating Implicit Flow response.
2016-08-03 18:01:29 [Debug] Creating identity token
2016-08-03 18:01:29 [Information] Getting claims for identity token for subject: cf808a80-1ab1-47cc-a5e1-a9a8ab0a75f9
2016-08-03 18:01:29 [Debug] Creating JWT identity token
2016-08-03 18:01:29 [Debug] Adding client "mask" to client list cookie for subject "cf808a80-1ab1-47cc-a5e1-a9a8ab0a75f9"
2016-08-03 18:01:29 [Information] End authorize request
2016-08-03 18:01:29 [Information] Posting to https://bowvmask03.xxx.com/mask/
2016-08-03 18:01:29 [Debug] Using DefaultViewService to render authorization response HTML
2016-08-03 18:01:31 [Information] Start token request
2016-08-03 18:01:31 [Debug] Start client validation
2016-08-03 18:01:31 [Debug] Start parsing Basic Authentication secret
2016-08-03 18:01:31 [Debug] Parser found secret: "BasicAuthenticationSecretParser"
2016-08-03 18:01:31 [Information] Secret id found: "mask"
2016-08-03 18:01:31 [Debug] Secret validator success: "HashedSharedSecretValidator"
2016-08-03 18:01:31 [Information] Client validation success
2016-08-03 18:01:31 [Information] Start token request validation
2016-08-03 18:01:31 [Information] Start validation of authorization code token request
2016-08-03 18:01:31 [Information] Validation of authorization code token request success
2016-08-03 18:01:31 [Information] Token request validation success
 {
  "ClientId": "mask",
  "ClientName": "Mask Technology Center",
  "GrantType": "authorization_code",
  "AuthorizationCode": "d80b91ecd1b55a999f1b7e371388ffc2",
  "Raw": {
    "grant_type": "authorization_code",
    "code": "d80b91ecd1b55a999f1b7e371388ffc2",
    "redirect_uri": "https://bowvmask03.xxx.com/mask/"
  }
}
2016-08-03 18:01:31 [Information] Creating token response
2016-08-03 18:01:31 [Information] Processing authorization code request
2016-08-03 18:01:31 [Debug] Creating access token
2016-08-03 18:01:31 [Debug] Creating refresh token
2016-08-03 18:01:31 [Debug] Setting an absolute lifetime: 2592000
2016-08-03 18:01:31 [Debug] Creating reference access token
2016-08-03 18:01:31 [Debug] Creating identity token
2016-08-03 18:01:31 [Information] Getting claims for identity token for subject: cf808a80-1ab1-47cc-a5e1-a9a8ab0a75f9
2016-08-03 18:01:31 [Debug] Creating JWT identity token
2016-08-03 18:01:31 [Information] End token request
2016-08-03 18:01:31 [Information] Returning token response.
2016-08-03 18:01:31 [Information] Start userinfo request
2016-08-03 18:01:31 [Information] Token found: AuthorizationHeader
2016-08-03 18:01:31 [Information] Start access token validation
2016-08-03 18:01:31 [Information] "Token validation success"
"{
  \"ValidateLifetime\": true,
  \"AccessTokenType\": \"Reference\",
  \"ExpectedScope\": \"openid\",
  \"TokenHandle\": \"6b49c05a882d7aba4fe1a4ff2f71bf72\",
  \"Claims\": {
    \"aud\": \"https://bowvmask03.xxx.com/idsrv/core/resources\",
    \"iss\": \"https://bowvmask03.xxx.com/idsrv/core\",
    \"nbf\": \"1470268891\",
    \"exp\": \"1470272491\",
    \"client_id\": \"mask\",
    \"scope\": [
      \"openid\",
      \"email\",
      \"roles\",
      \"micuser\",
      \"status\",
      \"ships\",
      \"waiver\",
      \"edc\",
      \"workorder\",
      \"offline_access\"
    ],
    \"sub\": \"cf808a80-1ab1-47cc-a5e1-a9a8ab0a75f9\",
    \"auth_time\": 1470268889,
    \"idp\": \"windows\",
    \"amr\": \"external\",
    \"preferred_username\": \"SNAME\",
    \"email\": \"sname@xxx.com\",
    \"name\": \"SOME NAME\",
    \"given_name\": \"SOME\",
    \"family_name\": \"SOMENAME\",
    \"role\": \"FAB\"
  }
}"
2016-08-03 18:01:31 [Information] Creating userinfo response
2016-08-03 18:01:31 [Information] Scopes in access token: "openid email roles micuser status ships waiver edc workorder offline_access"
2016-08-03 18:01:31 [Information] Requested claim types: "sub email email_verified role preferred_username"
2016-08-03 18:01:31 [Information] Profile service returned to the following claim types: "sub preferred_username email email_verified email role"
2016-08-03 18:01:31 [Information] End userinfo request
2016-08-03 18:01:31 [Information] Returning userinfo response.

### 
Final Authorize Request
2016-08-03 18:02:09 [Error] "Check session endpoint enabled, but SessionId is missing"
 "{
  \"ClientId\": \"mask\",
  \"ClientName\": \"Mask Technology Center\",
  \"RedirectUri\": \"https://bowvmask03.xxx.com/mask/\",
  \"AllowedRedirectUris\": [
    \"https://localhost:44300/\",
    \"https://bowvmask03.xxx.com/masktst/\",
    \"https://bowvmask03.xxx.com/mask/\"
  ],
  \"SubjectId\": \"cf808a80-1ab1-47cc-a5e1-a9a8ab0a75f9\",
  \"ResponseType\": \"code id_token\",
  \"ResponseMode\": \"form_post\",
  \"Flow\": \"Hybrid\",
  \"RequestedScopes\": \"openid email roles micuser status ships waiver edc workorder offline_access\",
  \"State\": \"OpenIdConnect.AuthenticationProperties=xFFEdX-55wPwnoEgzkoYohgMKNSVu8OB41Z5gPEoMgW_zZfbZ8MfTT4_DT7WcBlqFyAzulZkeJb4ISJN4SsbLfHZVkkN1YK4VX4CkYHkpkgIGwkjFU-n_4gYzhVmcawM3BsvURbCiaL7o2JTIfmRQjScO_r8AfZ1hdqSEn17thGiu6XqQyIkagSt6A2HeHPqgGjrK6_c0JREp0WLlPuhL80H28YzjLehnqKBBx89T5n4S-fksvrjduM-xecSdREw\",
  \"Nonce\": \"636058657291197264.MTc5Y2FiNjgtZWVhNi00Y2VlLWEwZGUtMTFmYTg4ODEyODczM2NkMDUxMmMtMmQwNi00Y2NiLThmN2YtNDA4MzYyOTRjYzNj\",
  \"Raw\": {
    \"client_id\": \"mask\",
    \"redirect_uri\": \"https://bowvmask03.xxx.com/mask/\",
    \"response_mode\": \"form_post\",
    \"response_type\": \"code id_token\",
    \"scope\": \"openid email roles micuser status ships waiver edc workorder offline_access\",
    \"state\": \"OpenIdConnect.AuthenticationProperties=xFFEdX-55wPwnoEgzkoYohgMKNSVu8OB41Z5gPEoMgW_zZfbZ8MfTT4_DT7WcBlqFyAzulZkeJb4ISJN4SsbLfHZVkkN1YK4VX4CkYHkpkgIGwkjFU-n_4gYzhVmcawM3BsvURbCiaL7o2JTIfmRQjScO_r8AfZ1hdqSEn17thGiu6XqQyIkagSt6A2HeHPqgGjrK6_c0JREp0WLlPuhL80H28YzjLehnqKBBx89T5n4S-fksvrjduM-xecSdREw\",
    \"nonce\": \"636058657291197264.MTc5Y2FiNjgtZWVhNi00Y2VlLWEwZGUtMTFmYTg4ODEyODczM2NkMDUxMmMtMmQwNi00Y2NiLThmN2YtNDA4MzYyOTRjYzNj\"
  }
}"
brockallen commented 8 years ago

For some reason the session id cookie is missing -- that's what you need to debug and find out why it's getting lost/dropped.

brockallen commented 8 years ago

Any progress/update?

tracsorenson commented 8 years ago

After doing some reading on similar issues posted here I believe my issue is similar to #2496 and several others. I have implemented a empty Session_Start() {} in my client. I'll close this issue for now. It has been random and hard to track down.