search

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.27k stars 600 forks source link

The oauth state was missing or invalid #1756

Closed nheath99 closed 6 years ago

nheath99 commented 6 years ago

I'm getting an exception when trying to use Facebook OAuth in my application:

Exception: The oauth state was missing or invalid.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+<HandleRequestAsync>d__12.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+<Invoke>d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase+<Invoke>d__2.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase+<Invoke>d__2.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase+<Invoke>d__2.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+<Invoke>d__7.MoveNext()

It's being configured successfully in Startup.ConfigureServices as such:

services.AddAuthentication()
    .AddFacebook(facebookOptions =>
    {
    facebookOptions.AppId = Configuration["facebookAppId"];
    facebookOptions.AppSecret = Configuration["facebookAppSecret"];
    });

The Challenge result is being created in my AccountController:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public IActionResult ExternalLogin(string provider, string returnUrl = null)
{
    // Request a redirect to the external login provider.
    var redirectUrl = Url.RouteUrl("SigninFacebook", new { returnUrl });            
    var properties = SignInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
    return Challenge(properties, provider);
}

However the callback method is not being reached:

[HttpGet("signin-facebook", Name = "SigninFacebook")]
[AllowAnonymous]
public async Task<IActionResult> ExternalLoginCallback(string returnUrl = null, string remoteError = null)
{
    // etc...
}

, and I am getting the exception. I've setup my Facebook developer account successfully and added the valid Valid OAuth Redirect URIs as per the Docs.

Tratcher commented 6 years ago

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/facebook-logins?view=aspnetcore-2.1&tabs=aspnetcore2x

The Facebook authentication configured later in this tutorial will automatically handle requests at /signin-facebook route to implement the OAuth flow.

The /signin-facebook route is handled by the middleware, not by your MVC controller. Your external login should route to something like /ExternalLoginCallback.

nheath99 commented 6 years ago

Ah thanks, I read that about 1 million times and it just wasn't sinking in.