HttpContext is null when token expires

[blarsern]

Hi, I'm using Aurelia with the oidc-js client, implicit flow.

Now this seems to be working, i can login, log out, i can login using external providers. And everything seems to be working except when the token expires.

So when the token expires, and i click on something in my app which requires auth. It sends a authorize request to my identityserver: /connect/authorize ?client_id=myclient&redirect_uri=https%3A%2F%2Flocalhost%3A9000%2Fsignin-oidc&response_type=id_token%20token&scope=openid%20myscope&state=848d88c7f0d04686b....&nonce=f0d9a7fee1f24df0acbce04....&app=MyApp

Then it hits this function on the server: IdentityServerMiddleware.Invoke(HttpContext context, )

Whick calls: await session.RemoveSessionIdCookieAsync();

public virtual Task RemoveSessionIdCookieAsync() { if (HttpContext.Request.Cookies.ContainsKey(CheckSessionCookieName)) { // only remove it if we have it in the request var options = CreateSessionIdCookieOptions(); options.Expires = Clock.UtcNow.UtcDateTime.AddYears(-1);

    HttpContext.Response.Cookies.Append(CheckSessionCookieName, ".", options);
}
return Task.CompletedTask;

}

Now inside RemoveSessionIdCookieAsync the HttpContext is null, so it crashes with NullReference Exception.

But in the IdentityServerMiddleware.Invoke(HttpContext context, ) then the context being passed in is not null ?

This context contains 7 cookies: "_ga=" "ai_user=" "_hjid=" "_gid=" ".AspNetCore.Antiforgery.za_sVcSxqek=" "idsrv.session=" ".AspNetCore.Identity.Application="

And 20 headers..

So this context and request seems fine, but the context inside RemoveSessionIdCookieAsync is null..

IdentityServer 4 is using the latest v4 nugets 4.1.2, latest QuickStart UI.

And also HttpContext is added in startup: services.AddHttpContextAccessor(); After configuring the DB context.

The requests sent from the oidc client when the token has expired: https://localhost:5001/.well-known/openid-configuration https://localhost:5001/connect/checksession https://localhost:5001/.well-known/openid-configuration/jwks https://localhost:5001/connect/authorize? <- Which causes the NullReference

Log on server when this happens: Request starting HTTP/2 GET https://localhost:5001/connect/authorize?<snip, see above> dbug: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[4] The request path /connect/authorize does not match a supported file type info: Microsoft.EntityFrameworkCore.Infrastructure[10403]

dbug: Microsoft.AspNetCore.Identity.SignInManager[4] Failed to validate a security stamp. dbug: Microsoft.AspNetCore.Identity.SecurityStampValidator`1[[Volmax.IdentityServer.Data.Models.ApplicationUser, Volmax.IdentityServer.Data, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]][0] Security stamp validation failed, rejecting cookie. info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[11] AuthenticationScheme: Identity.Application signed out. info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[11] AuthenticationScheme: Identity.External signed out. info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[11] AuthenticationScheme: Identity.TwoFactorUserId signed out. info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[7] Identity.Application was not authenticated. Failure message: No principal. dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1000] No candidates found for the request path '/connect/authorize' dbug: Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware[2] Request did not match any endpoints info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[7] Identity.Application was not authenticated. Failure message: No principal. If the token expires on the client i get NULLReference exception. But if i then delete this cookie: .AspNetCore.Identity.Application, then retry it all works as it should. I get redirected to login dialog. I cannot avoid server crashing without deleting the cookie. So what todo? Seems like this is a bug in IdentityServer4 v4? I doubt the client can cause this.. And i can't see how i can do things any different server side ? Any tips at all for fixing this? Some magic config regarding the httpcontext which i have overlooked? Thanks. Bjørn

[leastprivilege]

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.

[blarsern]

According to your blog: https://leastprivilege.com/2020/10/01/the-future-of-identityserver/

The current version (IdentityServer4 v4.x) will be the last version we work on as free open source. We will keep supporting IdentityServer4 until the end of life of .NET Core 3.1 in November 2022.

So what happened to this ?

We will probably go to Duende this fall, but that will require some work. So at this point we will continue with IdentityServer4.

Anyway i cloned the repo and fixed it locally. I can see the same code is in the Duende IdentityServer. So it will probably fail also with the Duende IdentityServer.

[leastprivilege]

We committed to provide critical security fixes (if feasible). Bug fixing, feature work etc will only happen on the new version.

Thanks for letting us know - we will have a look!

[brockallen]

Once you transition to Duende IdentityServer and if you're still seeing this issue, please open an issue in that repo. Thanks.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.