Open Closed

OpenIdConnect First login for new user #3207


User avatar
0
isaac.yip@cpy.com.hk created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v5.2.1
  • UI type: Blazor
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • ERR_HTTP2_PROTOCOL_ERROR / Bad Request - Request Too Long
  • Steps to reproduce the issue:"
    1. Create a new abp user using IdentityUserManager.CreateAsync() method
    2. login as external login using Azure OpenIDConnect
    3. If Microsoft already logined, it will show the Bad Request - Request Too Long Error.
    4. If not and follow the Microsoft login steps, it will show ERR_HTTP2_PROTOCOL_ERROR Error.
    5. For every new created user, it show up the same problem. I need to clear the cookies and login again.

If login success, the cookies will be like that.

If the problem show up, cookies will be

If you want keep producing the issue, you can delete the record in AbpUserLogins table and login again.

It only occur when running on IIS. If using dotnet run in localhost, no such issue occur.


8 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    All the cookies are generated for localhost for each session. When you are authenticated to 3rd party, you are already authenticated to Identity.External too.

    You can try to increasing max request size on IIS like:

    <system.web>
            <httpRuntime maxRequestLength="2097151" executionTimeout="2097151" />
    </system.web>
    
  • User Avatar
    0
    isaac.yip@cpy.com.hk created

    Already increased the request size. Still not work.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Did you deploy your application? Or you are getting this error on the localhost dev/sta environment?

  • User Avatar
    0
    isaac.yip@cpy.com.hk created

    deployed

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    The development environment may have similar problems since tiered applications use the same localhost for domain and shared cookies that cause errors. Because when you stop running your application without logging out, session cookies on localhost are not cleared and sometimes needs to be manually removed. It is not something we can fix because:

    • .Net applications set .AspNetCore cookies
    • IdentityServer sets shared idsrv.session cookie
    • Microsoft Identity sets identity.Application cookie
    • Microsoft Identity sets identity.External cookie when logged in to 3rd party

    However, deployment is a whole different scenario. You may be using sub domains sharing session cookies may be causing this. If the solution I mentioned at this answer and you mention this problem only occurs on IIS, I suggest asking on also StackOverflow since this can be directly related to IIS. It can be version related or some different configuration which is out of my scope unfortunately.

  • User Avatar
    0
    isaac.yip@cpy.com.hk created

    In the OnGetExternalLoginCallbackAsync function (login.html.cs), I found that calling signin two times there if the the signin result is not success but without signout. May I know the reason?

    var result = await SignInManager.ExternalLoginSignInAsync(
                loginInfo.LoginProvider,
                loginInfo.ProviderKey,
                isPersistent: true,
                bypassTwoFactor: true
            );
    
            if (!result.Succeeded)
            {
                await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
                {
                    Identity = IdentitySecurityLogIdentityConsts.IdentityExternal,
                    Action = "Login" + result
                });
            }
    

    After added login info or created external user, it call signin method again.

    var externalUser = await UserManager.FindByEmailAsync(email);
            if (externalUser == null)
            {
                externalUser = await CreateExternalUserAsync(loginInfo);
            }
            else
            {
                if (await UserManager.FindByLoginAsync(loginInfo.LoginProvider, loginInfo.ProviderKey) == null)
                {
                    CheckIdentityErrors(await UserManager.AddLoginAsync(externalUser, loginInfo));
                }
            }
    
            if (await HasRequiredIdentitySettings())
            {
                Logger.LogWarning($"New external user is created but confirmation is required!");
    
                await StoreConfirmUser(externalUser);
                return RedirectToPage("./ConfirmUser", new {
                    returnUrl = ReturnUrl,
                    returnUrlHash = ReturnUrlHash
                });
            }
    
            await SignInManager.SignInAsync(externalUser, false);
    

    For the First login, I found that the result from ExternalLoginSignInAsync is not success. Can I add the signout there? Will it cause any problems?

    if (!result.Succeeded)
            {
                await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
                {
                    Identity = IdentitySecurityLogIdentityConsts.IdentityExternal,
                    Action = "Login" + result
                });
                await SignInManager.SignOutAsync();
            }
    
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    You are signed in to different authentication schemes so it is called multiple times. It is Microsoft Identity and you can modify as you like if you know what you are doing.

    For the First login, I found that the result from ExternalLoginSignInAsync is not success. Can I add the signout there? Will it cause any problems?

    If a problem occurs on based on web-server (IIS), I would suggest digging into that instead of changing the source code.

  • User Avatar
    0
    FrancoisLabelle created

    Hello,

    I had a similar issue when I have activated the Microsoft login and tested it locally on my workstation using IIS express.

    My solution was to add this configuration in the web.config file of the IdentityServer project.

    &lt;system.webServer&gt;
    	&lt;security&gt;
    		&lt;requestFiltering&gt;
    			&lt;!--This is needed with IISEXPRESS to allow the callback from Microsoft OAuth/OIDC authentication with a large query string. (OIDC Specs says max 2047...) --&gt;
    			&lt;requestLimits maxQueryString=&quot;4096&quot; /&gt;
    		&lt;/requestFiltering&gt;
    	&lt;/security&gt;
    &lt;/system.webServer&gt;
    
Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11