Open Closed

Identity Server timeout error when trying to login with external authentication provider #695


User avatar
0
nhontran created

Hi, I have 2 applications: application A and application B, both applications were created using abp suite with the options as below:

  • ABP Framework version: v3.3.2
  • UI type: Angular
  • Identity Server Seperated (Angular): yes

I want user from application A can login into application B, so I have created client id and client secret in Identity Server A and added Identity Server A as external authentication provider in Identity Server B:

context.Services.AddAuthentication()
                .AddOpenIdConnect("oidc", "Intranet OpenID Connect", options =>
                {
                    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                    options.SignOutScheme = IdentityServerConstants.SignoutScheme;

                    options.Authority = "https://localhost:44306/";
                    options.ClientId = "internetprovider";
                    options.ClientSecret = "R73vz3w4ttIAhETTO2xp/FW5b2m90nPw0aLvOvA50d4=";
                    options.ResponseType = "code";
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        NameClaimType = "name",
                        RoleClaimType = "role"
                    };
                })

the login option is shown in Identity Server B login page:

However, I got timeout error when trying to click the above button, this is the log content: https://drive.google.com/file/d/1VEQzShv4mI3tLc1ZbiAXi6OqOZuKNXY-/view?usp=sharing


17 Answer(s)
  • User Avatar
    0
    nhontran created

    Hi, I managed to make the login working by changing the code below:

    context.Services.AddAuthentication()
                    .AddOpenIdConnect("oidc", "Intranet OpenID Connect", options =>
                    {
                        options.Authority = "https://localhost:44306/";
                        options.ClientId = "internetprovider";
                        options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                        options.ClientSecret = "secret";
                        options.RequireHttpsMetadata = false;
                        options.SaveTokens = true;
                        options.GetClaimsFromUserInfoEndpoint = true;
                        options.Scope.Add("email");
                    })
    

    the page had navigated to the Identity Server A login page, I logged in successfully, however, it keeps navigate back to the Identity Server B login page, it should redirect me to application page or registration page if user is new.

    This is the client configuration in Identity Server A:

    Callback:

    Grant Types:

    Any help is appreciated

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Hello @nhontran,

    the login option is shown in Identity Server B login page:

    Can you check if you have returnUrl parameter on your address bar after navigated to Application A Login Page?

    the page had navigated to the Identity Server A login page, I logged in successfully, however, it keeps navigate back to the Identity Server B login page, it should redirect me to application page or registration page if user is new.

    User will already be registered with external provider, this is some different page for business rule i assume.

    Either return url is not set or getting lost at the flow. Need more info to check it. But you can also modify the flow as you like with overriding the LoginPage of Application B like explained in this article.

    For example, you can override this method below and check or manipulate to redirect to your dashboard whichever page you like.

    public override Task<IActionResult> OnGetExternalLoginCallbackAsync(string returnUrl = "", string returnUrlHash = "", string remoteError = null) { return base.OnGetExternalLoginCallbackAsync(returnUrl, returnUrlHash, remoteError); }

  • User Avatar
    0
    nhontran created

    Hi @gterdem, yes, the returnUrl was in address bar after navigated to Application A login page:

    https://localhost:44306/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dinternetprovider%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A44366%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520email%26code_challenge....

    • Identity Server B: localhost:44366
    • Identity Server A: localhost:44306

    Below is the log details in Identity Server B, there is a line "ModelState is invalid", could you help me check:

    [00:41:39 INF] Request starting HTTP/2.0 POST https://localhost:44366/Account/Login?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fresponse_type%3Dcode%26client_id%3DinternetAbp_App%26state%3DNTdhV1BhekxYTjFQakFyMzAwWFhMeW9CRHAzVURfMEVUbk4weVl-aVZhZmtw%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%26scope%3Dopenid%2520offline_access%2520internetAbp%26code_challenge%3DdQlDYtTlRIf4QVskwYTFtNSzSLEHKkZ2Vi5tLCO3nMk%26code_challenge_method%3DS256%26nonce%3DNTdhV1BhekxYTjFQakFyMzAwWFhMeW9CRHAzVURfMEVUbk4weVl-aVZhZmtw&handler=ExternalLogin application/x-www-form-urlencoded 651 [00:41:39 INF] CORS policy execution failed. [00:41:39 INF] Request origin https://localhost:44366 does not have permission to access the resource. [00:41:39 INF] No CORS policy found for the specified request. [00:41:39 INF] Executing endpoint '/Account/Login' [00:41:39 INF] Route matched with {page = "/Account/Login", area = "", action = "", controller = ""}. Executing page /Account/Login [00:41:39 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy [00:41:39 INF] Executing handler method Volo.Abp.Account.Public.Web.Pages.Account.LoginModel.OnPostExternalLogin - ModelState is Invalid [00:41:39 INF] Executed handler method OnPostExternalLogin, returned result Microsoft.AspNetCore.Mvc.ChallengeResult. [00:41:39 INF] Executing ChallengeResult with authentication schemes (["oidc"]). [00:41:39 INF] AuthenticationScheme: oidc was challenged. [00:41:39 INF] Executed page /Account/Login in 136.7324ms [00:41:39 INF] Executed endpoint '/Account/Login' [00:41:39 DBG] Added 0 entity changes to the current audit log [00:41:39 DBG] Added 0 entity changes to the current audit log [00:41:39 INF] Request finished in 159.1755ms 302

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Can you override OnPostExternalLogin method as the sample I mentioned to check what the ModelState is about?

  • User Avatar
    0
    nhontran created

    Hi @gterdem, I have overrided the methods and found the root caue, the loginInfo is returned null if I login with the Identity Server A as authentication provider:

    var loginInfo = await SignInManager.GetExternalLoginInfoAsync();
                if (loginInfo == null)
                {
                    Logger.LogWarning("External login info is not available");
                    return RedirectToPage("./Login");
                }
    

    I have added Google authentication provider to check, it was able to retrieve the loginInfo and proceed redirect to /Register page to register new user while the Identity Server could not retrieve the info and redirected to /.Login page:

    Google log:

    [10:28:16 INF] Executing handler method internetAbp.Pages.Account.CustomLoginModel.OnGetExternalLoginCallbackAsync - ModelState is Valid
    [10:28:17 DBG] Added 0 entity changes to the current audit log
    [10:28:17 DBG] Added 0 entity changes to the current audit log
    [10:28:17 INF] Executed handler method OnGetExternalLoginCallbackAsync, returned result Microsoft.AspNetCore.Mvc.RedirectToPageResult.
    [10:28:17 DBG] Added 0 entity changes to the current audit log
    [10:28:17 INF] Executing RedirectToPageResult, redirecting to ./Register.
    

    Identity Server A log:

    [10:30:30 INF] Executing handler method internetAbp.Pages.Account.CustomLoginModel.OnGetExternalLoginCallbackAsync - ModelState is Valid
    [10:30:33 WRN] External login info is not available
    [10:30:33 INF] Executed handler method OnGetExternalLoginCallbackAsync, returned result Microsoft.AspNetCore.Mvc.RedirectToPageResult.
    [10:30:33 INF] Executing RedirectToPageResult, redirecting to ./Login.
    [10:30:33 INF] Executed page /Account/Login in 3398.5971ms
    [10:30:33 INF] Executed endpoint '/Account/Login'
    

    Full Log:

    • Google: https://drive.google.com/file/d/1twmxIq2_xMXNNMe5ejc8mTi4CmMQggJY/view?usp=sharing
    • Identity Server A: https://drive.google.com/file/d/1UFc2TLSfSlx62mntxXHd2nkZJ_qMuIFz/view?usp=sharing

    Could you please help me check.

  • User Avatar
    0
    alper created
    Support Team Director

    @nhontran we couldn't reproduce it. is it possible to share a repro project with us send the link to info@abp.io with the question number.

  • User Avatar
    0
    nhontran created

    Hi @alper, yes, I have shared the repo via email, please help take a look.

    Thanks.

  • User Avatar
    0
    alper created
    Support Team Director

    thanks we got your solution. it's under investigation.

  • User Avatar
    0
    nhontran created

    Hi @alper, is there any updates on the investigation?

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Hi @nhontran, thanks for your patience. We're still investigating it. I'll be inform you as soon as possible.

  • User Avatar
    0
    nhontran created

    Hi @gterdem, did you manage to reproduce the issue? I have removed the repository due to license key found in the repo.

    Please let me know if you need any further info.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Hi @nhontran,

    I've reproduced

    1. Application B (Angular) trying to login, redirects to Application B IS
    2. Application B IS redirects to Application A IS after External Login Intranet OpenId Connect click
    3. After entering credentials Application A IS redirects to Application B IS login which means external login is not successful
    4. User is not externally registered to Application B IS

    We're investigating this behaviour.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Hello @nhontran,

    I found out that the miss configuration of Intranet OpenID Connect causes this behaviour.

    You need to add:

    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
    // Mapping for GetExternalLoginInfoAsync since "sub" is used instead of "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("sub", ClaimTypes.NameIdentifier);
    

    before <br>

    context.Services.AddAuthentication()
        .AddOpenIdConnect("oidc", "Intranet OpenID Connect", options =>
        {
    

    so that provider key should not be null in the default signin manager implementation of GetExternalLoginInfoAsync. This causes chain failure of events which was really time consuming to figure out.

    Key of notice, this is related with microsoft default oidc claim mapping issue, not related with ABP. Here is a related identityserver issue.

  • User Avatar
    0
    nhontran created

    Hi @gterdem, noted. I will try and let you know. Thanks a lot

  • User Avatar
    0
    alper created
    Support Team Director

    let us know and if it's OK close the issue pls.

  • User Avatar
    0
    nhontran created

    Hi @gterdem, sorry for my late response, I have tried the fix suggested by you but it does not work, it still could not get the external login info

    [00:08:12 INF] Executing handler method Volo.Abp.Account.Public.Web.Pages.Account.LoginModel.OnGetExternalLoginCallbackAsync - ModelState is Valid
    [00:08:12 INF] Identity.External was not authenticated. Failure message: Unprotect ticket failed
    [00:08:12 WRN] External login info is not available
    [00:08:12 INF] Executed handler method OnGetExternalLoginCallbackAsync, returned result Microsoft.AspNetCore.Mvc.RedirectToPageResult.
    [00:08:12 INF] Executing RedirectToPageResult, redirecting to ./Login.
    

    Could you please help us take a look.

  • User Avatar
    0
    nhontran created

    Hi @gterdem, sorry, I have set SignInScheme to another value when doing the verification.

    Your suggestion has resolved the issue, thank you very much.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 18, 2024, 05:54