OpenIdConnect cannot parse token returned by the authorization server
See original GitHub issueDescribe the bug
I have a custom auth server based on OpenIddict which I am currently testing. It is basically code taken from the openiddict samples to enable authorization code flow.
The client app is a server-side project that use OpenIdConnect to talk to the auth server. This is the configuration:
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "[removed]";
options.ClientId = "[removed]";
options.ClientSecret = "[removed]";
options.ResponseType = "code";
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
options.UseTokenLifetime = false;
options.Scope.Add("openid");
options.Scope.Add("email");
options.Scope.Add("profile");
options.SecurityTokenValidator = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = new Dictionary<string, string>()
};
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
};
});
To reproduce
https://github.com/cryo75/OpenIdDictException
Exceptions (if any)
2021-02-04 18:38:09.495 +01:00 [INF] Request starting HTTP/2 POST https://localhost:44350/signin-oidc application/x-www-form-urlencoded 487 2021-02-04 18:38:09.566 +01:00 [ERR] Exception occurred while processing message. Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Failed to parse token response body as JSON. Status Code: 200. Content-Type: text/html; charset=utf-8 —> System.ArgumentException: IDX21106: Error in deserializing to json: ‘System.String’ at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage…ctor(String json) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest) — End of inner exception stack trace — at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync() 2021-02-04 18:38:09.601 +01:00 [INF] Error from RemoteAuthentication: Failed to parse token response body as JSON. Status Code: 200. Content-Type: text/html; charset=utf-8. 2021-02-04 18:38:09.601 +01:00 [ERR] An unhandled exception has occurred while executing the request. System.Exception: An error was encountered while handling the remote login. —> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Failed to parse token response body as JSON. Status Code: 200. Content-Type: text/html; charset=utf-8 —> System.ArgumentException: IDX21106: Error in deserializing to json: ‘System.String’ at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage…ctor(String json) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest) — End of inner exception stack trace — at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync() — End of inner exception stack trace — at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context) 2021-02-04 18:38:09.624 +01:00 [INF] Request finished HTTP/2 POST https://localhost:44350/signin-oidc application/x-www-form-urlencoded 487 - 500 - text/html;+charset=utf-8 129.1912ms
Further technical details
.NET SDK (reflecting any global.json): Version: 5.0.102 Commit: 71365b4d42
Runtime Environment: OS Name: Windows OS Version: 10.0.19041 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\5.0.102\
Host (useful for support): Version: 5.0.2 Commit: cb5f173b96
.NET SDKs installed: 3.1.201 [C:\Program Files\dotnet\sdk] 3.1.202 [C:\Program Files\dotnet\sdk] 5.0.100 [C:\Program Files\dotnet\sdk] 5.0.102 [C:\Program Files\dotnet\sdk]
.NET runtimes installed: Microsoft.AspNetCore.All 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.0-preview.4.20251.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.0-preview.4.20251.1 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Issue Analytics
- State:
- Created 3 years ago
- Comments:11 (6 by maintainers)
Top GitHub Comments
I will sponsor this project… I need a solution to this problem
@cryo75 nice!
Your scenario makes total sense and is quite typical in enterprisey environments. Windows Integration Authentication is typically not a good option when directly used with APIs as it’s prone to CSRF (just like cookies, but in this case, no same-site equivalent to save you), so you may want to update the existing resource server and client to use OIDC instead of direct Windows authentication (but of course, it’s technically a breaking change, so you must be able to update the client for things to work correctly).