Open Closed

OpenIdConnectAuthenticationHandler: message.State is null or empty. #3205


User avatar
0
AlderCove created
  • ABP Framework version: v5.1.4
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

Upon logging into the Public Website (as result of a password reset or navigating to https://portal-identity-dev.com/Account/Login?returnUrl=https%3A%2F%2Fportal-web-public-dev.com%2Fsignin-oidc), the application returns to url ("https://portal-web-public-dev.com/signin-oidc") and a 500 Internal Server Error occurs:

In the public web server log:

2022-06-07 17:56:19.662 +00:00 [INF] Error from RemoteAuthentication: OpenIdConnectAuthenticationHandler: message.State is null or empty.. 2022-06-07 17:56:19.663 +00:00 [ERR] An unhandled exception has occurred while executing the request. System.Exception: An error was encountered while handling the remote login. ---> System.Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty. --- End of inner exception stack trace --- at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task) 2022-06-07 17:56:19.663 +00:00 [INF] Executing endpoint 'Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared.Controllers.ErrorController.Index (Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared)' 2022-06-07 17:56:19.663 +00:00 [INF] Route matched with {action = "Index", controller = "Error", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task1[Microsoft.AspNetCore.Mvc.IActionResult] Index(Int32) on controller Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared.Controllers.ErrorController (Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared). 2022-06-07 17:56:19.667 +00:00 [WRN] Could not find IdentityClientConfiguration for AbpMvcClient. Either define a configuration for AbpMvcClient or set a default configuration. 2022-06-07 17:56:19.667 +00:00 [INF] Start processing HTTP request GET "https://portal-api-dev.com/api/abp/application-configuration?api-version=1.0" 2022-06-07 17:56:19.667 +00:00 [INF] Sending HTTP request GET "https://portal-api-dev.com/api/abp/application-configuration?api-version=1.0" 2022-06-07 17:56:20.299 +00:00 [INF] Received HTTP response headers after 631.6003ms - 200 2022-06-07 17:56:20.299 +00:00 [INF] End processing HTTP request after 631.8429ms - 200 2022-06-07 17:56:20.436 +00:00 [INF] Executing ViewResult, running view ~/Views/Error/500.cshtml. 2022-06-07 17:56:20.452 +00:00 [WRN] Could not find IdentityClientConfiguration for CmsKitPublic. Either define a configuration for CmsKitPublic or set a default configuration. 2022-06-07 17:56:20.452 +00:00 [INF] Start processing HTTP request GET "https://portal-api-dev.com/api/cms-kit-public/menu-items?api-version=1.0" 2022-06-07 17:56:20.452 +00:00 [INF] Sending HTTP request GET "https://portal-api-dev.com/api/cms-kit-public/menu-items?api-version=1.0" 2022-06-07 17:56:20.485 +00:00 [INF] Received HTTP response headers after 33.3313ms - 200 2022-06-07 17:56:20.486 +00:00 [INF] End processing HTTP request after 33.559ms - 200 2022-06-07 17:56:20.491 +00:00 [INF] Executed ViewResult - view ~/Views/Error/500.cshtml executed in 54.2382ms.

Pressing the Login button navigates to the identity server and back again with a logged-in state.

I am using docker containers.

Identity server app settings: { "App": { "SelfUrl": "https://portal-identity-dev.com", "ClientUrl": "https://portal-web-public-dev.com", "CorsOrigins": "https://portal-app-dev.com,https://portal-api-dev.com,https://portal-identity-dev.com", "RedirectAllowedUrls": "https://portal-app-dev.com,https://portal-api-dev.com,https://portal-web-public-dev.com/signin-oidc" }, "AuthServer": { "Authority": "https://portal-identity-dev.com", "RequireHttpsMetadata": "false", "ValidIssuers": [ "https://portal-web-public-dev.com", "https://portal-app-dev.com", "https://portal-web-dev.com", "https://portal-api-dev.com" ] }, "ConnectionStrings": { "Default": "Server=XX\data1; Database=Portal; User=sa; Password=XX;" }, "Redis": { "Configuration": "redis" }, "StringEncryption": { "DefaultPassPhrase": "ZY4h7Pg08tNZWA0d" } }

Web Public appsettings: { "App": { "SelfUrl": "https://portal-web-dev.com" }, "RemoteServices": { "Default": { "BaseUrl": "https://portal-api-dev.com/" }, "AbpAccountPublic": { "BaseUrl": "https://portal-identity-dev.com/" } }, "Redis": { "Configuration": "redis" }, "AuthServer": { "Issuer": "https://portal-web-public.com", "Authority": "https://portal-identity-dev.com", "RequireHttpsMetadata": "true", "ClientId": "Portal_Web_Public_Tiered", "ClientSecret": "1q2w3e*", "ValidIssuers": [ "https://portal-web-public-dev.com", "https://portal-app-dev.com", "https://portal-web-dev.com", "https://portal-api-dev.com" ] }, "StringEncryption": { "DefaultPassPhrase": "ZY4h7Pg08tNZWA0d" } }


14 Answer(s)
  • User Avatar
    0
    AlderCove created

    I am encountering the same issue running the application locally, outside of docker.

    a) Navigate to url:

    https://localhost:44309/Account/Login?ReturnUrl=https%3A%2F%2Flocalhost%3A44306%2Fsignin-oidc

    b) Login :

    c) Exception:

    d) web public log file:

    2022-06-07 14:37:48.835 -07:00 [INF] Error from RemoteAuthentication: OpenIdConnectAuthenticationHandler: message.State is null or empty.. 2022-06-07 14:37:48.836 -07:00 [ERR] An unhandled exception has occurred while executing the request. System.Exception: An error was encountered while handling the remote login. ---> System.Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty. --- End of inner exception stack trace --- at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Share your openid configuration located in the PublicWebsiteModule please.

  • User Avatar
    0
    AlderCove created
    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
    {
        context.Services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
            .AddCookie("Cookies", options =>
            {
                options.ExpireTimeSpan = TimeSpan.FromDays(365);
            })
            .AddAbpOpenIdConnect("oidc", options =>
            {
                options.Authority = configuration["AuthServer:Authority"];
                options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); ;
                options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
    
                options.ClientId = configuration["AuthServer:ClientId"];
                options.ClientSecret = configuration["AuthServer:ClientSecret"];
    
                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;
    
                options.Scope.Add("role");
                options.Scope.Add("email");
                options.Scope.Add("phone");
                options.Scope.Add("Portal");
            });
    }
    
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    I don't see any problem with your configuration. You mention you receive this error on locally also..

    How can we reproduce this problem? Can you send your project or a minimal project having this issue to info@abp.com via email so that we can check?

  • User Avatar
    0
    AlderCove created

    I created a new project with abp suite and was able to isolate the issue a little better.

    ABP Framework version: v5.1.4 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Separated (Angular): yes Public website: yes

    Running in locally with Null Email Sender in use.

    The issue arises in the following scenario:

    1. Navigate to the web public page
    2. Click Login (navigates to Identity server)
    3. Click Forgot password
    4. Enter email for password reset
    5. Copy & paste the password reset link from the Identity Server log into browser (ie. https://localhost:44349/Account/ResetPassword?userId=bcece16c-6098-6c0c-1ad3-3a045aecf37c&__tenant=&resetToken=CfDJ8PxMEPuK7GlJjYKAHwu3dDapqpsWhVzKFziM6xXtptAvMFgXVCOc%2BIIWnBiY1Uq0GDOOmno4yc99Ur26Zu4GCQPTDDino5Ix8dGgf6meYEtyXo%2FpH0VQlhB3C%2F0Rhy6h0lfn6lFkXK0yqHQGjTIB22xWUfYlzljkJDmCc%2FFy%2BuOR5PV8sMSKOvkUPz6T0bwUUCtrg1qRgKgL5l%2FeUWdijBcffVip%2B1nRPJ2ijhnVqS0j&returnUrl=https://localhost:44306/signin-oidc)
    6. On Reset Password page, enter new password
    7. On Reset Pasword Confirmation page, press Go to the application
    8. On Login page, enter credentials and Login.
    9. System redirects to the Identity Server page (even though the return url in the password reset is to the public website "https://localhost:44306/signin-oidc")

    As a result of this issue, we had added a redirect setting (https://localhost:44306) in the appsettings for the identity server project:

    "RedirectAllowedUrls": "http://localhost:4200,https://localhost:44307,https://localhost:44306"

    When the redirect url is added, the exception described above is thrown (RemoteAuthentication: OpenIdConnectAuthenticationHandler: message.State is null or empty.).

    We also tried with the RedirectAllowedUrl of "https://localhost:44306/signin-oidc" with the same result.

  • User Avatar
    -2
    AlderCove created

    I sent the project link to info@abp.com.

    Here are some more details on the exception that occurs when the RedirectAllowedUrls setting is added for the public website:

  • User Avatar
    0
    AlderCove created

    Hi - any thoughts?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @AlderCove

    Sorry, the email address you sent doesn't exist. Could you send it to info@abp.io ?

    Thanks,

  • User Avatar
    0
    AlderCove created

    Shared with info@abp.io

  • User Avatar
    0
    AlderCove created

    Hi, any update on this?

    We are going live soon and this is a critical issue for us.

    Thanks

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    The default login flow as below is where you are redirected to authentication server (identityserver) with parameters and redirected back after your login request is verified.

    In your case the login flow is interrupted with the password-reset flow:

    Since the password reset link is sent, it becomes completely asynchronous and the flow is tries to be linked with login again with Go to the application step (between 6 and 7). However, the login related parameters are lost.

    There are some best practice considerations in this scenario like invalidating the password reset link and rebuilding the login url etc.

    If this is an urgent issue for your, you can override the Account/ResetPasswordConfirmation page and remove (or update) the Go to the application button to trigger the login flow from the start again.

    I have created an internal issue for this scenario and refunded your credit.

    Thank you.

  • User Avatar
    0
    AlderCove created

    I appreciate the detailed response.

    Can you please let me know what I need to change to update the button to trigger the login workflow from the start again?

    Thank you.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    You need to override Account/ResetPasswordConfirmation page and remove the button and add a new one (or remove /signin-oidc path) to redirect to application for users to manually start the login again.

    To override, create ResetPasswordConfirmation page under Account folder.

    This is the current state of the page:

    ResetPasswordConfirmation.cshtml:

    @page
    @model Volo.Abp.Account.Public.Web.Pages.Account.ResetPasswordConfirmationModel
    @inject Volo.Abp.AspNetCore.Mvc.UI.Layout.IPageLayout PageLayout
    @using Microsoft.AspNetCore.Mvc.Localization
    @using Volo.Abp.Account.Localization
    @inject IHtmlLocalizer<AccountResource> L
    @{
        PageLayout.Content.Title = L["ResetPassword"].Value;
    
    }
    <p>@L["YourPasswordIsSuccessfullyReset"]</p>
    <a abp-button="Primary" asp-page="./Login" asp-route-returnUrl="@Model.ReturnUrl">@L["LoginToTheApplication"]</a>
    

    ResetPasswordConfirmation.cshtml.cs:

    namespace Volo.Abp.Account.Public.Web.Pages.Account;
    
    [AllowAnonymous]
    public class ResetPasswordConfirmationModel : AccountPageModel
    {
        [BindProperty(SupportsGet = true)]
        public string ReturnUrl { get; set; }
    
        [BindProperty(SupportsGet = true)]
        public string ReturnUrlHash { get; set; }
    
        public virtual Task<IActionResult> OnGetAsync()
        {
            ReturnUrl = GetRedirectUrl(ReturnUrl, ReturnUrlHash);
    
            return Task.FromResult<IActionResult>(Page());
        }
    }
    
  • User Avatar
    0
    AlderCove created

    @gterdem,

    Thank you for the additional details.

    I wasn't understanding how to trigger the login flow from the start and thought there was something complex that needed to be done!

    I have modified the page logic to show a button with a link to the public website (which is parsed from the model return url).

    Upon returning to the website, the user must log in to restart the login flow.

    It's one extra step, but will resolve the issue until a more permanent solution is implemented.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09