search

IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.01k forks source link

"idp claim is missing" error received when trying to login after a long idle time #5398

Closed jontycool closed 1 year ago

jontycool commented 2 years ago

"idp claim is missing" error received when trying to login after leaving the browser idle for sometime.

I use IS4 as SSO for my MVC as well as React Webapp. Both the logins work fine on normal usage. But, I am facing a problem only when I leave the browser idle for sometime.

When I leave the browser idle in the MVC side and then after sometime if I visit another MVC url, it works just fine. Same is the case with React App as well (because of Silent Renewal). In the React side also, after leaving the browser idle for sometime, if I navigate within the React Webapp everything works fine.

The problem arises when I leave the browser idle in the MVC side for sometime and then click on a React URL, I am getting this "idp claim is missing" error. I have already tried to look into existing idp claim issues and their solutions but its not working out for me. Maybe I am missing out on something else.

Issue / Steps to reproduce the problem

  1. Implement SSO for MVC and React App
  2. Login to the MVC page and leave it idle for ~30mins.
  3. Enter a React url after the idle time.

Identity Server Logs

Request started: "GET" https://localhost:44300/.well-known/openid-configuration
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:44300/.well-known/openid-configuration - -
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
      CORS policy execution successful.
warn: IdentityServer4.Hosting.CorsPolicyProvider[0]
      CorsPolicyService did not allow origin: https://localhost:44302
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware[10]
      No CORS policy found for the specified request.
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
Response sent: https://localhost:44300/.well-known/openid-configuration with HTTP status 200.0
Request started: "GET" https://localhost:44300/.well-known/openid-configuration
infoRequest started: "GET" https://localhost:44300/connect/checksession
: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:44300/.well-known/openid-configuration - - - 200 - application/json;+charset=UTF-8 334.5200ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:44300/.well-known/openid-configuration - -
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
      CORS policy execution successful.
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:44300/connect/checksession - -
Response sent: https://localhost:44300/.well-known/openid-configuration with HTTP status 200.0
warnRequest started: "GET" https://localhost:44300/connect/authorize?client_id=AchnetReactApp&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2FsignInOidc&response_type=code&scope=openid%20profile%20email%20offline_access&state=8f16645da81749f6bf2c5f0dbfc42494&code_challenge=W8DsIvPemfLmRamVyKOaew6peWyYidcp68Ojzyl1a3s&code_challenge_method=S256&response_mode=query
: IdentityServer4.Hosting.CorsPolicyProvider[0]
      CorsPolicyService did not allow origin: https://localhost:44302
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware[10]
      No CORS policy found for the specified request.
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:44300/.well-known/openid-configuration - - - 200 - application/json;+charset=UTF-8 201.6097ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:44300/connect/authorize?client_id=AchnetReactApp&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2FsignInOidc&response_type=code&scope=openid%20profile%20email%20offline_access&state=8f16645da81749f6bf2c5f0dbfc42494&code_challenge=W8DsIvPemfLmRamVyKOaew6peWyYidcp68Ojzyl1a3s&code_challenge_method=S256&response_mode=query - -
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.CheckSessionEndpoint for /connect/checksession
Response sent: https://localhost:44300/connect/checksession with HTTP status 200.0
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:44300/connect/checksession - - - 200 - text/html;+charset=UTF-8 283.7385ms
Request started: "GET" https://localhost:44300/connect/authorize?client_id=AchnetReactApp&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2FsignInSilent&response_type=code&scope=openid&state=bcd5073ede6a4d0cba7f722edf5d496e&code_challenge=Metaz5LRdXV5VgPWmTjRsA21OR3eVM7CE4Xw6MYAc8o&code_challenge_method=S256&prompt=none&response_mode=query
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:44300/connect/authorize?client_id=AchnetReactApp&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2FsignInSilent&response_type=code&scope=openid&state=bcd5073ede6a4d0cba7f722edf5d496e&code_challenge=Metaz5LRdXV5VgPWmTjRsA21OR3eVM7CE4Xw6MYAc8o&code_challenge_method=S256&prompt=none&response_mode=query - -
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
info: IdentityServer4.Events.DefaultEventService[0]
      {
        "Details": "System.InvalidOperationException: idp claim is missing\r\n   at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)\r\n   at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IPrincipal principal)\r\n   at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessLoginAsync(ValidatedAuthorizeRequest request)\r\n   at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent)\r\n   at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)\r\n   at IdentityServer4.Endpoints.AuthorizeEndpoint.ProcessAsync(HttpContext context)\r\n   at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)",
        "Category": "Error",
        "Name": "Unhandled Exception",
        "EventType": "Error",
        "Id": 3000,
        "Message": "idp claim is missing",
        "ActivityId": "800001ff-0001-f700-b63f-84710c7967bb",
        "TimeStamp": "2021-12-07T08:32:32Z",
        "ProcessId": 15592,
        "LocalIpAddress": "::1:44300",
        "RemoteIpAddress": "::1"
      }
info: IdentityServer4.Events.DefaultEventService[0]
      {
        "Details": "System.InvalidOperationException: idp claim is missing\r\n   at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)\r\n   at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IPrincipal principal)\r\n   at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessLoginAsync(ValidatedAuthorizeRequest request)\r\n   at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent)\r\n   at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)\r\n   at IdentityServer4.Endpoints.AuthorizeEndpoint.ProcessAsync(HttpContext context)\r\n   at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)",
        "Category": "Error",
        "Name": "Unhandled Exception",
        "EventType": "Error",
        "Id": 3000,
        "Message": "idp claim is missing",
        "ActivityId": "80000344-0003-ff00-b63f-84710c7967bb",
        "TimeStamp": "2021-12-07T08:32:32Z",
        "ProcessId": 15592,
        "LocalIpAddress": "::1:44300",
        "RemoteIpAddress": "::1"
      }
crit: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Unhandled exception: idp claim is missing
      System.InvalidOperationException: idp claim is missing
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IPrincipal principal)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessLoginAsync(ValidatedAuthorizeRequest request)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent)
         at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
         at IdentityServer4.Endpoints.AuthorizeEndpoint.ProcessAsync(HttpContext context)
         at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
crit: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Unhandled exception: idp claim is missing
      System.InvalidOperationException: idp claim is missing
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IPrincipal principal)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessLoginAsync(ValidatedAuthorizeRequest request)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent)
         at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
         at IdentityServer4.Endpoints.AuthorizeEndpoint.ProcessAsync(HttpContext context)
         at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
      An unhandled exception has occurred while executing the request.
      System.InvalidOperationException: idp claim is missing
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IPrincipal principal)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessLoginAsync(ValidatedAuthorizeRequest request)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent)
         at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
         at IdentityServer4.Endpoints.AuthorizeEndpoint.ProcessAsync(HttpContext context)
         at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
         at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
         at IdentityServer4.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes)
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
      An unhandled exception has occurred while executing the request.
      System.InvalidOperationException: idp claim is missing
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IPrincipal principal)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessLoginAsync(ValidatedAuthorizeRequest request)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent)
         at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
         at IdentityServer4.Endpoints.AuthorizeEndpoint.ProcessAsync(HttpContext context)
         at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
         at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
         at IdentityServer4.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes)
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Response sent: https://localhost:44300/connect/authorize?client_id=AchnetReactApp&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2FsignInOidc&response_type=code&scope=openid%20profile%20email%20offline_access&state=8f16645da81749f6bf2c5f0dbfc42494&code_challenge=W8DsIvPemfLmRamVyKOaew6peWyYidcp68Ojzyl1a3s&code_challenge_method=S256&response_mode=query with HTTP status 500.0
Response sent: https://localhost:44300/connect/authorize?client_id=AchnetReactApp&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2FsignInSilent&response_type=code&scope=openid&state=bcd5073ede6a4d0cba7f722edf5d496e&code_challenge=Metaz5LRdXV5VgPWmTjRsA21OR3eVM7CE4Xw6MYAc8o&code_challenge_method=S256&prompt=none&response_mode=query with HTTP status 500.0
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:44300/connect/authorize?client_id=AchnetReactApp&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2FsignInOidc&response_type=code&scope=openid%20profile%20email%20offline_access&state=8f16645da81749f6bf2c5f0dbfc42494&code_challenge=W8DsIvPemfLmRamVyKOaew6peWyYidcp68Ojzyl1a3s&code_challenge_method=S256&response_mode=query - - - 500 - text/html;+charset=utf-8 787.0008ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:44300/connect/authorize?client_id=AchnetReactApp&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2FsignInSilent&response_type=code&scope=openid&state=bcd5073ede6a4d0cba7f722edf5d496e&code_challenge=Metaz5LRdXV5VgPWmTjRsA21OR3eVM7CE4Xw6MYAc8o&code_challenge_method=S256&prompt=none&response_mode=query - - - 500 - text/html;+charset=utf-8 584.1890ms

React (oidc-client-js) Configuration

{
  authority: 'https://localhost:44300/',
  client_id: 'ReactApp',
  redirect_uri: 'https://localhost:44302/signInOidc',
  silent_redirect_uri: 'https://localhost:44302/signInSilent',
  post_logout_redirect_uri: 'https://localhost:44302/signOutOidc',
  response_type: 'code',
  automaticSilentRenew: true,
  scope: 'openid profile email offline_access',
  loadUserInfo: false,
  userStore: new WebStorageStateStore({ store: window.localStorage }),
}

[Please let me know if any other log is needed to understand this situation]

ghost commented 2 years ago

Could you attach the contents of ConfigureServices in the MVC app's Startup.cs? I was able to resolve this issue by adding the following:

services.Configure<SecurityStampValidatorOptions>(options =>
{
    options.OnRefreshingPrincipal = SecurityStampValidatorCallback.UpdatePrincipal;
});

See, #1878 for details.

leastprivilege commented 2 years ago

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.