OpenIddict `code_challenge` error

[ak2426]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

14.1.0

Bug summary

Logging in via localhost works while logging in via host.example.com does not.

Specifics

The error message after logging into /umbraco/login is as follows:

error:invalid_request
error_description:The mandatory 'code_challenge' parameter is missing.
error_uri:https://documentation.openiddict.com/errors/ID2029

Steps to reproduce

On a fresh install of Umbraco 14.1.0, run the following command:

dotnet run --urls "http://0.0.0.0:80"

Verify that logging into:

• http://localhost/umbraco/login works
• http://host.example.com/umbraco/login does not

Expected result / actual result

After a successful login, I expect to land on the dashboard. Instead, I see the error message listed above.

[github-actions[bot]]

Hi there @ak2426!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

[elit0451]

Hi @ak2426 👋

Thanks for reaching out! I was able to reproduce it, we will have a look 🙂

[elit0451]

One thing though, can you clarify why are you running dotnet run --urls "http://0.0.0.0:80" and then expecting to access http://host.example.com/umbraco/login?

[ak2426]

Hi @ak2426 👋

Thanks for reaching out! I was able to reproduce it, we will have a look 🙂

Thanks!

One thing though, can you clarify why are you running dotnet run --urls "http://0.0.0.0:80" and then expecting to access http://host.example.com/umbraco/login?

The host.example.com is just an example; you can pretend it's any hostname on the LAN. Obviously, you want a webserver to be network accessible, not just on localhost. So 0.0.0.0 will bind to all network interfaces, not just localhost.

In our current setup we have Umbraco running on 2 servers behind a load balancer (F5), which also takes care of HTTPS. We need Umbraco to be accessible in this way because F5 uses the hostname + port.

[iOvergaard]

Hi @ak2426

Looking through this, you may be hitting a few different issues.

code_challenge is missing I haven't seen this error before, but it could happen if the authorization request didn't come from the backoffice, i.e. if you went directly to the login screen on /umbraco/login and tried to log in. The Backoffice client needs to form a correct handshake in its local storage before attempting a login due to the PKCE addition to OpenId. Therefore if you access /umbraco first, it can form the correct code challenge for the login screen.

Are you still seeing the error if you do that?

Accessing Umbraco from another host Umbraco stores the first request it gets as its' application URL. It then takes that information and marks that host as an allowed redirect URL in the login provider. From the looks of it, you are not hitting this error specifically, but it may be worth it for you to specifically set your backoffice host URL in appsettings.json. You can do it like this:

{
  "Umbraco": {
    "CMS": {
       "Security": {
         "BackOfficeHost": "http://host.example.com"
       }
    [the rest]
  }
}

This might help alleviate any confusion running Umbraco in a place where it can't see its real host, for example in a Docker environment.

[ak2426]

Hi @iOvergaard, unfortunately neither suggestion fixed the problem. In fact, navigating to http://localhost and clicking "Open Umbraco" now gives a new error:

error:invalid_request
error_description:The specified 'redirect_uri' is not valid for this client application.
error_uri:https://documentation.openiddict.com/errors/ID2043

[iOvergaard]

@ak2426 The BackOfficeHost parameter must match the one you are accessing Umbraco from. However, Umbraco should be able to resolve any relative requests, so there might be something we need to look into.

Another note, if you want to use regular HTTP, you need to ensure the UseHttps option is false (see more here #16614).

[IbrahimMNada]

Any Update on this ? I Have Put this

"BackOfficeHost": "http://host.example.com"

and this to false : UseHttps

it did not work

I think (Think) it has something to do with cookies cross site with http

[miflun]

Had the same issue, I simply switched to HTTPS in my IIS and it worked My domain was working on http://localhost:65322, however when i tried on http://mywebsite.local I was getting error "The mandatory 'code_challenge' parameter is missing" I have used SSL Certificate 'IIS Express Development Certificate'. I believe this certificate was created through dotnet cmd

dotnet dev-certs https --trust

[NileshMasterly]

Had the same issue, I tried all the above solutions, but none of them worked. While published build worked on my device(IIS), but not work on the other server.

[IbrahimMNada]

any update on this ?

[NileshMasterly]

Update the web.config as shown below; it worked for me.

<system.webServer>
    <rewrite>
        <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    <add input="{REQUEST_URI}" pattern="^.*/umbraco" negate="true" />
                </conditions>
                <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
            </rule>
        </rules>
    </rewrite>

    <modules runAllManagedModulesForAllRequests="false">
        <remove name="WebDAVModule" />
    </modules>

    <httpProtocol>
        <customHeaders>
            <clear />
            <add name="Access-Control-Expose-Headers " value="WWW-Authenticate"/>
            <add name="Access-Control-Allow-Origin" value="*" />
            <add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, PATCH, DELETE" />
            <add name="Access-Control-Allow-Headers" value="accept, authorization, Content-Type" />
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
    <security>
        <requestFiltering>
            <requestLimits maxAllowedContentLength="524288000"/>
        </requestFiltering>
    </security>
</system.webServer>

[peteringemann]

I am getting this error too. Upgraded from working 13.x to 14.latest. I use the host file to redirect to 127.0.0.1 when debugging. I only run http. None of the above suggestions works.

[IbrahimMNada]

after some debugging , The Issue is resulted from PKCE when developing on a non https server.

so the fix for this would be simply if the configuration UseHttps is set to false we should not call this extension method RequireProofKeyForCodeExchange() on ConfigureOpenIddict ==> AddUmbracoOpenIddict

[IbrahimMNada]

Please take a look at this PR

https://github.com/umbraco/Umbraco-CMS/pull/17319

hope you approve and merge it soon x)

[nul800sebastiaan]

I've closed the PR with a workaround in the comments. https://github.com/umbraco/Umbraco-CMS/pull/17319#issuecomment-2470676808

Ultimately, it's an unsafe setup and you need to be very careful what you're doing here, we intend to help you do the right thing so for now we don't want to support things that might accidentally leave you open to an easy security attack.

[nul800sebastiaan]

Additionally, a workaround in code has been posted to the PR which will work for existing sites as well.