InvalidOperationException: Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.

[cryo75]

Confirm you've already contributed to this project or that you sponsor it

• I confirm I'm a sponsor or a contributor

Version

5.0.3

Question

I have an OpenIddict server still on 4.10.1 and NET7. I have a blazor server-side app that I upgraded to NET8 and OpenIddict 5.0.3. The project compiled successfully and no additional changes were made. When I start the app I get the following exception:

System.InvalidOperationException: Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
at NyAoo.Pages.LoginModel.OnGet(String redirectUri) in C:\myapp\Pages\Login.cshtml.cs:line 13
at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.NonGenericTaskHandlerMethod.Execute(Object receiver, Object[] arguments)
at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethodAsync()
at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeNextPageFilterAsync()
at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Rethrow(PageHandlerExecutedContext context)
at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeInnerFilterAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Finbuckle.MultiTenant.AspNetCore.MultiTenantMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Are there any other changes that need to be done client-side?

[kevinchalet]

Hi,

Unfortunately, you're very likely hitting this IdentityModel bug, introduced in the 7.4.0 version referenced by OpenIddict 5.3.0: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2514. Sadly, they haven't released a fix yet.

You have a few options:

• Replace the MSFT OIDC handler by the OpenIddict client, which is not affected by this bug: https://twitter.com/kevin_chalet/status/1767214511134523438
• Downgrade OpenIddict to 5.2.0, that references an older IdentityModel version.
• Stay on OpenIddict 4.10.1, tho' I wouldn't recommend it since it's no longer supported.

[kevinchalet]

Replace the MSFT OIDC handler by the OpenIddict client, which is not affected by this bug: https://twitter.com/kevin_chalet/status/1767214511134523438

Note: if you're interested in giving it a try, don't hesitate to take a look at the samples repo (all the samples now use it): https://github.com/openiddict/openiddict-samples

[brentschmaltz]

@kevinchalet we are working on the issue.
It could be a mismatch assembly version.
Can you check that all IdentityModel assemblies are the same version?

[kevinchalet]

Can you check that all IdentityModel assemblies are the same version?

I reproduced the issue locally and it indeed works fine if both Microsoft.IdentityModel.Tokens and Microsoft.IdentityModel.Protocols.OpenIdConnect are the same version (e.g 7.3.1 or 7.4.0). As soon as you bump Microsoft.IdentityModel.Protocols.OpenIdConnect to 7.4.0 without also bumping the other one, you're affected.

Repro:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.4.0" />
    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.3.1" />
  </ItemGroup>

</Project>

using Microsoft.IdentityModel.Protocols.OpenIdConnect;

var json = $$"""
    {
      "issuer": "https://localhost:44395/",
      "authorization_endpoint": "https://localhost:44395/connect/authorize"
    }
    """;

var configuration = new OpenIdConnectConfiguration(json);
Console.WriteLine(configuration.AuthorizationEndpoint);

[freever]

I've been trying to figure out why I was getting this error for 2 days now 😭

[maliming]

hi

They fixed the JSON problem, Using Microsoft.IdentityModel.Protocols.OpenIdConnect >= 7.4 will be no problem.

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2491

[kevinchalet]

Hey @maliming,

Well, it's a bit more complicated: just referencing the latest version of that package isn't enough, you need to ensure all the IdentityModel packages - directly referenced or brought transitively - are the same version.

If you're seeing issues in ABP Framework in the projects that use ASP.NET Core's OIDC or JWT handlers, I'd recommend explicitly referencing both Microsoft.IdentityModel.Protocols.OpenIdConnect and Microsoft.IdentityModel.Tokens to avoid any issue.

[Emrebener]

Can confirm version 7.4 fixes the issue. 7.3 and 8+ was not working for me.

<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="7.4.0" />
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.4.0" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.4.0" />

[HenriqueTrianon]

Faced the same issue upon upgrading identity libraries to 8+, we kept at 7+ for the time being.

[kevinchalet]

Faced the same issue upon upgrading identity libraries to 8+, we kept at 7+ for the time being.

Are you sure all the versions were consistent?

OpenIddict 5.8.0 uses IM 8.0+ on .NET 8.0+ and I haven't heard of any issue (at least that wasn't caused by a mismatch 😄)