Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IssuerAddress not being set in OpenidConnectHandler.HandleChallengeAsyncInternal #55774

Closed
1 task done
roddharris opened this issue May 17, 2024 · 3 comments
Closed
1 task done

IssuerAddress not being set in OpenidConnectHandler.HandleChallengeAsyncInternal #55774

roddharris opened this issue May 17, 2024 · 3 comments
Labels
area-security External This is an issue in a component not contained in this repository. It is open for tracking purposes. ✔️ Resolution: Answered Resolved because the question asked by the original author has been answered. question Status: Resolved

Comments

@roddharris
Copy link

roddharris commented May 17, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

I'm using the AddOpenidConnect extension method to configure OpendidConnect to work with our Keycloak IDP. Whenever the Challenge is requested, I receive an error: "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid." (Line 485 of the HandleChallengeAsyncInternal).

It appears that this is supposed to be set when the configuration manager reads the OIDC configuration from the .well-known endpoint of my IDP. (Line 402) It seems as though the manager is unable to read the IDP configuration or is unable to pull out the authorization_endpoint property of my IDP configuration.

Expected Behavior

When the Challenge is required, the OpenidConnectHandler should redirect the browser to the authorization_endpoint that is defined in the well-known endpoint of the IDP configured using the AddOpenidConnect extension method.

Steps To Reproduce

Here is the configuration in program.cs

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.Authority = "https://my-keycloak-idp.com/auth/realms/myrealm";
        options.ClientId = "my-app-client-id";  //public client, no secret
        options.CallbackPath = "/auth";
        options.RequireHttpsMetadata = true;
        options.MetadataAddress = "https://my-keycloak-idp.com/auth/realms/myrealm/.well-known/openid-configuration";
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.UsePkce = true;
        options.ResponseType = OpenIdConnectResponseType.Code;
    });

Here is the configuration returned by the metadata endpoint.

image

Exceptions (if any)

Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.

.NET Version

8.0.100

Anything else?

This is an Asp.NET Core 8.0 MVC application.
I'm running in VS 2022
@roddharris
Copy link
Author

Sorry, I forgot to add that my Keycloak client is set for Standard Flow, Implicit Flow and Direct Access Grants. I also have my Web Origins configured as well as my Valid Redirect URIs.

@halter73
Copy link
Member

Can you provide a minimal repro project?

I suspect the issue might be mismatched Microsoft.IdentityModel.* dependencies. Even if you don't reference these dependencies directly right now, you might have to add an explicit PackageReference to make sure all the versions align exactly. The current latest version for these packages is 7.5.2.

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2513 (comment) has more context on the issue. It shouldn't be necessary to manually align package versions like this, but it is necessary as of right now.

@halter73 halter73 added the Needs: Repro Indicates that the team needs a repro project to continue the investigation on this issue label May 21, 2024
@dotnet-policy-service dotnet-policy-service bot added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label May 21, 2024
@roddharris
Copy link
Author

Thank you @halter73 that seemed to be the issue.

@dotnet-policy-service dotnet-policy-service bot added Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. and removed Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. labels May 24, 2024
@javiercn javiercn added question ✔️ Resolution: Answered Resolved because the question asked by the original author has been answered. and removed Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. labels May 28, 2024
@halter73 halter73 mentioned this issue Jun 3, 2024
Closed
1 task
@halter73 halter73 added External This is an issue in a component not contained in this repository. It is open for tracking purposes. and removed Needs: Repro Indicates that the team needs a repro project to continue the investigation on this issue labels Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-security External This is an issue in a component not contained in this repository. It is open for tracking purposes. ✔️ Resolution: Answered Resolved because the question asked by the original author has been answered. question Status: Resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@halter73 @javiercn @roddharris and others