Authentication issues¶
Session automatically closed after login¶
Problem
After a successful login the session is closed in a few seconds.
Solution
This problem has been detected when the generated cookies are not trusted, this can be an issue in scaled-out installation where the data protection is not properly configured and the different instances are not sharing the keys to sign cookies, tokens and other signed items (aka data protection). To solve this issue the best solution is configure the Authentication server to use the Database for managing the data protection (DataProtectionSettings).
Related information
n/a
Entering valid credentials doesn't redirect back to application¶
Problem
Trying to login to an application A the user is redirected to the authentication server, entering valid credentials doesn't return to application A and authentication server ask for credentials again.
Solution
This problem is caused when LoginSettings.AuthenticationTicketExpiration property is not present in appsettings.json. This could be cause when it's being used an old version of authentication 's appsettings.json in a newer version of authentication. To solve this, use the right version or include the property in appsettings.json :
"LoginSettings": {
"AuthenticationTicketExpiration": "7.00:00:00"
Related information
n/a
Unable to login: Invalid redirect_uri / unauthorized_client¶
Problem
Trying to login to an application A, the user is redirected to the authentication server and below error is displayed: Invalid redirect_uri / unauthorized_client
Solution
When a user is redirected to the login page, the application A includes two values in the query string of the redirection: client_id and redirect_uri. Those values have to match with the configuration in the Authentication service. The related information is stored in the tenant database in the [authentication].[Client] and [authentication].[ClientRedirectUri]. Please, ensure values are exactly the same; a client can contain multiple entries in the [authentication].[ClientRedirectUri] table.
Related information
n/a
Unable to login: Invalid client / invalid_client¶
Problem
Trying to login to an application A, the user is redirected to the authentication server and after completing the login is redirected to the caller application and application fails with in internal server errors. Accessing to the logs, below error appears:
fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler. Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null', status code '400'.
Solution
Ensure client is providing the same secret (usually stored in the appsettings file encrypted) than the one stored at [authentication].[ClientSecret] (as a hash).
Related information
n/a
Session automatically closed after login¶
Problem
After a successful login the session is closed in a few seconds.
Solution
This problem has been detected when the generated cookies are not trusted, this can be an issue in scaled-out installation where the data protection is not properly configured and the different instances are not sharing the keys to sign cookies, tokens and other signed items (aka data protection). To solve this issue the best solution is configure the Authentication server to use the Database for managing the data protection (DataProtectionSettings).
Related information
n/a
Unable to logout¶
Problem
The logout action from an application ends in MyApplication page with the user still logged in. Even if LogOff link is clicked, the user doesn't log out.
Solution
This problem is caused due to how some Authentication's cookies are managed by some browsers, specially by Google Chrome from its version 80. To solve it SameSiteCookiePolicyDisabled must be set to false.
Related information
n/a
Issuer validation failed¶
Problem
IDX10205: Issuer validation failed. Issuer: '.awsveriskt.local'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: '.office.sbs'. in a secured application after performing a successful login.
Solution
We have seen this error on environment not configured properly:
- Stale cookies: when a first token was created using a value of
CookieDomainthat was changed later. In this case, we will suggest to delete all cookies stored in the browser. - Scale-out wrongly configured: in scaled-out configurations where authentication instances are not configured with the same Issuer.
Related information
One value is coming from the discovery document in the Authentication service, and one value is coming from the token. The token must be generated by the same Authentication service. If they have not been generated by the same. Authentication service reads the issuer name from CookieDomain setting.
Nonce error¶
Problem
After enter credentials the return to application shows next error and login process can't be completed:
IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.
Solution
The reason why IDX10311: RequireNonce is ‘true’ (default) but validationContext.Nonce is null error occurs is that a cookie is missing or altered during the authentication process.
This issue might be perfectly expected for certain scenarios such as
- Using browser’s Back button
- Trying to login after a long time of inactivity (this case is solved by Authentication server)
- Using the site in multiple tabs
If the scenario one of these cases, the best way to proceed is to implement a code block to catch this exception and inform/redirect the user accordingly.
Related information
n/a