search

davidjrh / dnn.azureadprovider

The DNN Azure Active Directory Provider is an Authentication provider for DNN Platform (formerly DotNetNuke) that uses Azure Active Directory OAuth2 authentication to authenticate users.
MIT License
35 stars 21 forks source link

AADSTS54005: OAuth2 Authorization code was already redeemed #17

Closed swalker1595 closed 5 years ago

swalker1595 commented 5 years ago

After logging in with Azure AD I am experiencing the same issue described here: https://social.msdn.microsoft.com/Forums/azure/en-US/4192e141-309a-4dd6-a5c9-f1a8ce32f4ca/aadsts54005-oauth2-authorization-code-was-already-redeemed?forum=WindowsAzureAD

JoepKillaars commented 5 years ago

Any news on this ?

swalker1595 commented 5 years ago

I placed a ticket with DNN Support (I believe the OAuth flow is their code)

Here is the response:

Thank you for your patience while we were investigating this issue. Whereas we are committed to assisting you with this issue, we have found out that the referenced link (https://github.com/davidjrh/dnn.azureadprovider) is by a third party and the source code has not been updated for a long while. The source code is also open-source. We will not be able to offer a guaranteed immediate solution to the issue now that the solution is not part of DNN.

We at DNN do not have such a solution currently and you may have to involve the source-code owner for customization.

From: Joep Killaars notifications@github.com Sent: Wednesday, November 21, 2018 8:29:16 AM To: davidjrh/dnn.azureadprovider Cc: Shane Walker; Author Subject: Re: [davidjrh/dnn.azureadprovider] AADSTS54005: OAuth2 Authorization code was already redeemed (#17)

Any news on this ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdavidjrh%2Fdnn.azureadprovider%2Fissues%2F17%23issuecomment-440662078&data=01%7C01%7CWalker.Shane%40columbusga.gov%7C019bac976249442e70ea08d64fb55635%7Cf6bad3c9100144daacffb25808ccd0c4%7C1&sdata=3CvfSuA8EkMh009ZMTycxfLW4vIOQkx%2BSjVNo2owivw%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAhck8ETPdS7EZsaI9PTQNV8aJnGtHgtGks5uxVUsgaJpZM4XVgCP&data=01%7C01%7CWalker.Shane%40columbusga.gov%7C019bac976249442e70ea08d64fb55635%7Cf6bad3c9100144daacffb25808ccd0c4%7C1&sdata=B6MNQgywSJaQj4BHpBwPMvIIHvcUukt7klyt9BOqLO8%3D&reserved=0.

davidjrh commented 5 years ago

Can you share more details on the issue? I'm not able to reproduce it.

davidjrh commented 5 years ago

Can you check on the DNN Eventlogs for an error like this one?

Message:There was an error processing the credentials. Contact your system administrator.

StackTrace:

InnerMessage:There was an error processing the credentials. Contact your system administrator.

InnerStackTrace:

at DotNetNuke.Authentication.Azure.Components.AzureClient.GetToken(String responseText) at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.ExchangeCodeForToken() at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.AuthorizeV2() at DotNetNuke.Services.Authentication.OAuth.OAuthLoginBase.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
swalker1595 commented 5 years ago

David,

It’s a complicated issue because Microsoft has directly told me that sites with > 10 Logins per month are granted an exception.

We experienced this issue in Oct. but the day after experiencing it, the exception kicked in because I tried to login to the website like 30 times.

Same thing just happened again this Nov.

The issue occurs when any sign in from Azure is attempted. It fails after the redirect back to the site from Microsoft.

I am using DNN 9.2.

Thanks,

Shane Walker

From: David Rodríguez notifications@github.com Sent: Monday, November 26, 2018 4:48 PM To: davidjrh/dnn.azureadprovider Cc: Shane Walker; Author Subject: Re: [davidjrh/dnn.azureadprovider] AADSTS54005: OAuth2 Authorization code was already redeemed (#17)

Can you share more details on the issue? I'm not able to reproduce it.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdavidjrh%2Fdnn.azureadprovider%2Fissues%2F17%23issuecomment-441811546&data=01%7C01%7CWalker.Shane%40columbusga.gov%7Caeb68e3373ef41bd63c008d653e8db40%7Cf6bad3c9100144daacffb25808ccd0c4%7C1&sdata=v%2FBwqd2gB0%2FYUT4bjCx%2Byh%2BmFfoPrLHO5cBb0WkDO1Y%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAhck8LzkoocwWZdohUq9feF7uaqHNlhIks5uzGGYgaJpZM4XVgCP&data=01%7C01%7CWalker.Shane%40columbusga.gov%7Caeb68e3373ef41bd63c008d653e8db40%7Cf6bad3c9100144daacffb25808ccd0c4%7C1&sdata=vL5pW2yK7eg%2FToMm15evPwsPq2T%2B0pwhhHBvrE2H08Q%3D&reserved=0.

davidjrh commented 5 years ago

Weird issue. I have a customer with a similar symptom you mention, but can't verify if it is the same issue, I'm going to download the DNN code base for the particular version the customer has because the OAuth request is done on the DNN code and the response arrives empty to the Azure provider.

Other interesting issue is that this happens with some users, while not with others. I will keep investigating but any info you can share like the one above will help.

swalker1595 commented 5 years ago 
 2018-11-19 12:52:50.432-05:00 [CCGWEB1][D:2][T:59][ERROR] DotNetNuke.Services.Authentication.OAuth.OAuthClientBase - WebResponse exception: {"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: 9df0210d-bf9f-45d9-b19b-b326453e6400\r\nCorrelation ID: 48ac1682-e414-42c2-9eac-f1d6114e8648\r\nTimestamp: 2018-11-19 17:52:50Z","error_codes":[70002,54005],"timestamp":"2018-11-19 17:52:50Z","trace_id":"9df0210d-bf9f-45d9-b19b-b326453e6400","correlation_id":"48ac1682-e414-42c2-9eac-f1d6114e8648"}
 2018-11-19 12:52:50.718-05:00 [CCGWEB1][D:2][T:59][FATAL] DotNetNuke.Framework.PageBase - An error has occurred while loading page.
    System.Exception: There was an error processing the credentials. Contact your system administrator.
    at DotNetNuke.Authentication.Azure.Components.AzureClient.GetToken(String responseText)
    at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.ExchangeCodeForToken()
    at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.AuthorizeV2()
    at DotNetNuke.Services.Authentication.OAuth.OAuthLoginBase.OnLoad(EventArgs e)
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
davidjrh commented 5 years ago

Ok, I was able to reproduce the issue with one of the Azure AD users (interesting that with other users don't happen):

  1. For some reason, I see two webrequests on DNN on the ExchangeCodeForToken call. The first one works, the second fails with the error
  2. This happens on certain users

Finally found the issue: the webrequest that lands on the DNN website after the Azure login redirection, causes two "ExchangeCodeForToken" requests (the first one is accepted, but the second is invalid because the code was already processed, as per October 10th update). I'm creating an updated release package to avoid the second call, that was there since the beginning of the times.

davidjrh commented 5 years ago

I have packaged a new Release v3.0.1. Can you please double check? I have already installed on my customer website and is now working properly.

https://github.com/davidjrh/dnn.azureadprovider/releases/tag/v3.0.1

davidjrh commented 5 years ago

I have verified that this is now working on several sites. Going to close the issue, but if you find something else, let me know.

rastogi-nitin commented 5 years ago

Hi David, Out of curiosity what did you do to fix the issue "Finally found the issue: the webrequest that lands on the DNN website after the Azure login redirection, causes two "ExchangeCodeForToken" requests"?