Getting 404 Error When Redirecting To /signin-oidc

[D4M13N-D3V]

I am having a really hard time getting OpenIDConnect to work properly with this asp.net 4.6 mvc 5 project. Recently I was getting a 404 error and ended up adding a custom route to the callback action to get it to work past that. AFter that I started getting a error about GetExternalLoginInfoAsync() returning null and getting a nullreferenceexception. This is what my config looks like with some things redacted, along with the routing. Also the image provided is one of the errors I get,if i dont use custom routing i just get a 404 error. I know that I shouldnt having to be routing that. Now when i compare the traffic between the zoom oauth which works and this I notice this is only getting from External Login -> Authorize.php -> /signin-oidc.

OpenIdConnect nonce cookie is there, so is session_id, also in the URL it is sending the state and the code

This is the code for the setup of OpenIdConnectAuthentication

 `app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/common/v2.0
                Authority = "https://orders.data443.com/oauth/",
                ClientId = "DATA443-RISK-MIT.tb4dOMZlluauPaBiqV/wSA==",
                ClientSecret = "GKikHivSwkckyDkDlZZXoY04HB2BTnn86cFlk/aRsQR1xXxbfkI/1nNtqkdrM18UauoJ4BxQ9fpGeldjhWd/dQ==",
                RedirectUri = "https://localhost:44348/signin-oidc/",
                PostLogoutRedirectUri = "https://localhost:44348/signout-oidc/",
                ResponseType = OpenIdConnectResponseType.Code,
                Scope = "openid email profile",

                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = false,
                },
                Configuration = new OpenIdConnectConfiguration()
                {
                    Issuer = "https://orders.data443.com/",
                    AuthorizationEndpoint = "https://orders.data443.com/oauth/authorize.php",
                    TokenEndpoint = "https://orders.data443.com/oauth/token.php",
                    UserInfoEndpoint = "https://orders.data443.com/oauth/userinfo.php",
                    JwksUri = "https://orders.data443.com/oauth/certs.php",
                },
            });`
https://localhost:44348/signin-oidc/?code=e33dab0ae5e9640ef731c460180780092703727b&state=OpenIdConnect.AuthenticationProperties%3D-JlLC-VdZi-KZst8OY4JikRrl59vm19HATAcOaqUv8a22U8ch9gC_IJARHlsvaDKZQrqfeTewtdk5d-KcZSrUR3qCoJVcmzNRDP8C0JJ2NH9ql42J3H1xkxEzoAvJ0wxITy-tCj5H-N-bYhMZbO4kB8s2S4msCF0kEDzgipoPmGfZfreUeyYcerwK_OJGH3uYKUYa1NjqA0G-hlhiYpUj8DUp59EXpDz6sr1wtohTiI

Code

var json = "";
        using (WebClient wc = new WebClient())
        {
            json = wc.DownloadString("http://orders.data443.com/oauth/openid-configuration.php");
        }

        var settings = new OpenIdConnectAuthenticationOptions
        {
            Authority = "https://orders.data443.com/oauth/",
            ClientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            RedirectUri = "https://localhost:44348/signin-oidc/",
            CallbackPath = new PathString("/signin-oidc/"),
            Configuration = new OpenIdConnectConfiguration(json),
            ResponseType = OpenIdConnectResponseType.Code,
            SignInAsAuthenticationType = "Cookies",
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false,
            },
            Scope = "openid email profile"
        };
        app.UseOpenIdConnectAuthentication(settings);

Routing

        routes.MapRoute(
        name: "signin-oidc",
        url: "signin-oidc",
        defaults: new { controller = "Account", action = "ExternalLoginCallback" });

[Tratcher]

A) signin-oidc should not be mapped to ExternalLoginCallback, UseOpenIdConnectAuthentication handles that path internally. Delete the MapRoute call. B) There's a new option RedeemCode you need to set when only using the Code ResponseType. https://github.com/aspnet/AspNetKatana/blob/635c92f641ad1e014eead31cc7a365004949fda5/src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs#L320-L324. it use to only support Hybrid flows.

[D4M13N-D3V]

Now im getting this error?

                new OpenIdConnectAuthenticationOptions
                {
                    Authority = "https://orders.x.com/oauth/",
                    ClientId = "x",
                    ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
                    RedirectUri = "https://localhost:44348/signin-oidc/",
                    PostLogoutRedirectUri = "https://localhost:44348/signout-oidc/",
                    ResponseType = OpenIdConnectResponseType.Code,
                    RedeemCode = true,
                    Scope = "openid email profile",

                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = false,
                    },
                    Configuration = new OpenIdConnectConfiguration(json),
                });```

IDX10501: Signature validation failed. Unable to match key:
kid: 'System.String'.
Exceptions caught:
'System.Text.StringBuilder'.
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

I dont see anything different from what I have been seeing other people do. Very confused why that wasnt documented anywhere, so its thrown me entirely off.

[Tratcher]

Wow, that error message needs work. https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/535158822edd2760a81fa1e9ef902e3959dd65d3/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs#L973

Can you move this issue to https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/ so they can interpret and/or improve that error message?

I see you're providing the OpenIdConnectConfiguration manually? The comments around IDX10501 imply that configuration information may be out of date.

[D4M13N-D3V]

Ah, how would I go about configuring ti then, im currently just loading it from the json on whmcs.

[Tratcher]

The recommendation is to set the MetadataAddress where it can download the correct keys. https://github.com/aspnet/AspNetKatana/blob/635c92f641ad1e014eead31cc7a365004949fda5/src/Microsoft.Owin.Security.WsFederation/WsFederationAuthenticationMiddleware.cs#L77-L78

[ghost]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

See our Issue Management Policies for more information.