search

aspnet / AspNetKatana

Microsoft's OWIN implementation, the Katana project
Apache License 2.0
967 stars 334 forks source link

An OpenID Connect response cannot contain an identity token or an access token when using response_mode=query #338

Closed HaroldH76 closed 4 years ago

HaroldH76 commented 4 years ago

PR 297 introduced a check if access_token is present in the url. But since we have updated to this version we get this error on every random page that has access_token in the querystring: "An OpenID Connect response cannot contain an identity token or an access token when using response_mode=query"

So this error is thrown on every page, not only in the OpenID Connect response.

For example we have Office Online (WOPI) integration in combination with OpenID with Azure AD. But now the WOPI integration is broken because of this. The WOPI protocol uses access_token in the querystring and this error is thrown when loading the page.

Is this a problem of this library or am I doing something wrong?

You can easily reproduce this by enabling OpenID in some dotnet application and after successfull logging in add a querystring parameter (?access_token=lalala) to some page in the browser.

Kind regards, Harold

Tratcher commented 4 years ago

Can you share how you're configuring the OIDC components? You should be using a CallbackPath to avoid conflicts with other requests. https://github.com/aspnet/AspNetKatana/blob/e001fcf245ba4b6b2eb09ef410d398527882dc1a/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs#L204

HaroldH76 commented 4 years ago

Ahh, no we have no CallbackPath because it is optional and the description says: 

An optional constrained path on which to process the authentication callback. If not provided and RedirectUri is available, this value will be generated from RedirectUri.

So effectively we are using the homepage as callback path. Since it is optional maybe the line of code you mention should also check for the RedirectUri.

Anyway, I have fixed it for now by adding this line:

CallbackPath = new Microsoft.Owin.PathString("/"),

Thx for the help!

Tratcher commented 4 years ago

The recommendation is that CallbackPath is a unique value like /signin-oidc.

This is where it's supposed to convert the RedirectUri to a CallbackPath: https://github.com/aspnet/AspNetKatana/blob/e001fcf245ba4b6b2eb09ef410d398527882dc1a/src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs#L50-L58