Failing OpenID Connect middleware - how to debug?

2019-07-17 04:27发布

I set up a very simple ASP.NET MVC 5 application that tries to authenticate a user through an OpenID provider in Authorization Code mode.

I'm able to log in and the server returns a code in the redirect URL querystring and a nonce cookie. However, back on the client application the user is not authenticated (User.Identity.IsAuthenticated false), has no claims and called controller Action that has an Authorize attribute is never carried out. Browser stays on the redirect URL page which is the home page.

I think something happens during the execution of the OpenID Connect middleware which makes it stop halfway through, but can't quite figure out how to debug it.

  • No exceptions are thrown even in "break on all CLR exceptions" mode.

  • When connecting an EventListener to IdentityModelEventSource.Logger at Verbose level I only get one logged event that says "Generating nonce for openIdConnect message", once per authentication attempt.

  • No Notification hooks are reached except RedirectToIdentityProvider, so it looks like no authorization code or security token is received, but the authentication doesn't fail either.

How can I get more info on what happens so that I can debug my problem?

Here's the code:

        public void Configuration(IAppBuilder app)
        {
            var clientSecret = "secret";
            var authenticationOptions = new OpenIdConnectAuthenticationOptions
            {
                ClientId = "id",
                ClientSecret = clientSecret,
                Authority = "https://theauthority",
                RedirectUri = "https://localhost/MyApp/",
            };

            authenticationOptions.ResponseType = OpenIdConnectResponseType.Code; // Authorization code
            authenticationOptions.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(clientSecret));
            authenticationOptions.TokenValidationParameters.RequireSignedTokens = true;
            authenticationOptions.TokenValidationParameters.ValidAudience = "katanaclient";
            authenticationOptions.SignInAsAuthenticationType = "Cookies";
            authenticationOptions.Configuration = new OpenIdConnectConfiguration
            {
                Issuer = "https://theissuer",
                AuthorizationEndpoint = "https://theendpoint",
                TokenEndpoint = "https://theendpoint/api/v1/token",
                UserInfoEndpoint = "https://theendpoint/api/v1/userinfo",
                EndSessionEndpoint = "https://theendpoint/api/v1/logout",
                ScopesSupported = { "openid", "profile"},
            };

            authenticationOptions.Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = async n =>
                {
                    // here it goes
                    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                    {
                        n.ProtocolMessage.EnableTelemetryParameters = false;
                    }
                },
                AuthorizationCodeReceived = async notification =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{notification.Response.Body}");

                },
                SecurityTokenReceived = async notification =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{notification.Response.Body}");
                },
                AuthenticationFailed = async notification =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{notification.Response.Body}");
                },
                SecurityTokenValidated = async n =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{n.Response.Body}");
                },
                MessageReceived = async notification =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{notification.Response.Body}");
                }
            };

            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            );
            app.UseOpenIdConnectAuthentication(authenticationOptions);

            Microsoft.IdentityModel.Logging.IdentityModelEventSource.Logger.LogLevel = EventLevel.Verbose;
            Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;

            var listener = new EventListener();
            listener.EnableEvents(Microsoft.IdentityModel.Logging.IdentityModelEventSource.Logger, EventLevel.LogAlways);
            listener.EventWritten += Listener_EventWritten; // Only thing this ever logs is "generating nonce"
        }

[Edit]

I found out that in an ASP.NET Core project with GetClaimsFromUserInfoEndpoint = true it works perfectly. But that property is sadly missing from the older Microsoft.Owin.Security.OpenIdConnect implementation...

0条回答
登录 后发表回答