search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.5k stars 10.04k forks source link

IssuerAddress not being set in OpenidConnectHandler.HandleChallengeAsyncInternal #55774

Closed roddharris closed 5 months ago

roddharris commented 6 months ago

Is there an existing issue for this?

Describe the bug

I'm using the AddOpenidConnect extension method to configure OpendidConnect to work with our Keycloak IDP. Whenever the Challenge is requested, I receive an error: "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid." (Line 485 of the HandleChallengeAsyncInternal).

It appears that this is supposed to be set when the configuration manager reads the OIDC configuration from the .well-known endpoint of my IDP. (Line 402) It seems as though the manager is unable to read the IDP configuration or is unable to pull out the authorization_endpoint property of my IDP configuration.

Expected Behavior

When the Challenge is required, the OpenidConnectHandler should redirect the browser to the authorization_endpoint that is defined in the well-known endpoint of the IDP configured using the AddOpenidConnect extension method.

Steps To Reproduce

Here is the configuration in program.cs

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.Authority = "https://my-keycloak-idp.com/auth/realms/myrealm";
        options.ClientId = "my-app-client-id";  //public client, no secret
        options.CallbackPath = "/auth";
        options.RequireHttpsMetadata = true;
        options.MetadataAddress = "https://my-keycloak-idp.com/auth/realms/myrealm/.well-known/openid-configuration";
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.UsePkce = true;
        options.ResponseType = OpenIdConnectResponseType.Code;
    });

Here is the configuration returned by the metadata endpoint.

image

Exceptions (if any)

Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.

.NET Version

8.0.100

Anything else?

This is an Asp.NET Core 8.0 MVC application. I'm running in VS 2022

roddharris commented 6 months ago

Sorry, I forgot to add that my Keycloak client is set for Standard Flow, Implicit Flow and Direct Access Grants. I also have my Web Origins configured as well as my Valid Redirect URIs.

halter73 commented 6 months ago

Can you provide a minimal repro project?

I suspect the issue might be mismatched Microsoft.IdentityModel.* dependencies. Even if you don't reference these dependencies directly right now, you might have to add an explicit PackageReference to make sure all the versions align exactly. The current latest version for these packages is 7.5.2.

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2513#issuecomment-2099109337 has more context on the issue. It shouldn't be necessary to manually align package versions like this, but it is necessary as of right now.

roddharris commented 5 months ago

Thank you @halter73 that seemed to be the issue.