Identityserver4: invalid_grant after sign in

Created on 24 Oct 2017  路  4Comments  路  Source: IdentityServer/IdentityServer4
  • [x] I read and understood how to enable logging

Issue / Steps to reproduce the problem

I have a .Net core 2 IdSvr and MVC portal running fine locally. I'm trying to deploy them both to docker containers behind an nginx proxy though, and while I can authenticate a locally running MVC portal against the deployed IdSvr, I cannot authenticate from the deployed MVC portal.

Full details of the logs can be found on this StackOverflow question if that helps but I assume I'm missing some config either in the IdSvr project or the MVC client.

https://stackoverflow.com/questions/46884549/identityserver4-sub-claim-is-missing

Any help would be much appreciated as were trying to make IdSvr our federated identity gateway for all our systems and this is the first stage.

Relevant parts of the log file

[11:22:51 INF] Request starting HTTP/1.1 POST http://testportal.cmacgroup.co.uk/signin-oidc application/x-www-form-urlencoded 1559
[11:22:51 ERR] Message contains error: 'invalid_grant', error_description: 'error_description is null', error_uri: 'error_uri is null', status code '400'.
[11:22:51 ERR] Exception occurred while processing message.
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant'], error_description: 'error_description is null', error_uri: 'error_uri is null'.
question
Source
picture dankennedy

Most helpful comment

So I finally got to the bottom of it. It seems the default header limits in nginx don't play nice and I found this in the logs
upstream sent too big header while reading response header from upstream

Updating the nginx config to include the lines

proxy_buffer_size          128k;

proxy_buffers              4 256k;

proxy_busy_buffers_size    256k;

prevented the 502 error and it all authenticates fine now.

picture dankennedy on 31 Oct 2017
👍2

All 4 comments

any update?

leastprivilege picture leastprivilege on 31 Oct 2017

Some progress, in that I've got the IdSvr4 web app running in a container, and if I run the client locally I can authenticate against IdSvr4 without a problem. If I use the client as deployed in a container however, after a successful authentication I just get the nginx 502 page and no error logged. If I refresh the page and therefore resubmit the form however I get the following error:
[13:30:07 ERR] HTTP POST /signin-oidc responded 500 Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant' , error_description: 'error_description is null', error_uri: 'error_uri is null'. at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.<Invoke>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Cmac.Portal.Web.Middleware.SerilogMiddleware.<Invoke>d__4.MoveNext() in /app/Cmac.Portal.Web/Middleware/SerilogMi ddleware.cs:line 37

I assume it's therefore something to do with either the nginx config or how I've deployed the client container but I can't seem to get any more info on the initial failure.

I'm spending some more time looking at it today and will update.

dankennedy picture dankennedy on 31 Oct 2017

So I finally got to the bottom of it. It seems the default header limits in nginx don't play nice and I found this in the logs
upstream sent too big header while reading response header from upstream

Updating the nginx config to include the lines

proxy_buffer_size          128k;

proxy_buffers              4 256k;

proxy_busy_buffers_size    256k;

prevented the 502 error and it all authenticates fine now.

dankennedy picture dankennedy on 31 Oct 2017
👍2

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 14 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

garymacpherson picture garymacpherson  路  3Comments
user1336 picture user1336  路  3Comments
leksim picture leksim  路  3Comments
klioqc picture klioqc  路  3Comments
osmankibar picture osmankibar  路  3Comments