Identityserver4: Check session endpoint enabled, but SessionId is missing
- [x] I read and understood how to enable logging
Issue / Steps to reproduce the problem
Since i've migrated from .Net Core 1.1 to .Net Core 2.0, i get these error messages coming for IdentityServer4 logs in production
I'm using AspNetIdentity, EF Core 2.0,
Any ideas why ?
App seems to work normaly. Errors happens from JS client and Asp Net MVC client.
Relevant parts of the log file
fail: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Check session endpoint enabled, but SessionId is missing
{
"ClientId": "technicalsheet-client",
"RedirectUri": "XXXXXXXXXXXXXXXXX",
"AllowedRedirectUris": [XXXXXXXXXXXXXXXXX],
"SubjectId": "XXXXXXXXXXXXXXXXX",
"ResponseType": "id_token token",
"ResponseMode": "fragment",
"GrantType": "implicit",
"RequestedScopes": "openid profile email roles technicalsheet-service pdf-service mailing-service",
"State": "92ae6f90f2084776a99da73f96bc5836",
"Nonce": "589c2e0ec1694c00ac7abc9c48d26b47",
"Raw": {
"client_id": "technicalsheet-client",
"redirect_uri": "XXXXXXXXXXXXXXXXX",
"response_type": "id_token token",
"scope": "openid profile email roles technicalsheet-service pdf-service mailing-service",
"state": "92ae6f90f2084776a99da73f96bc5836",
"nonce": "589c2e0ec1694c00ac7abc9c48d26b47"
}
}
lacroixdavid1
All 14 comments
This tells me that somehow you're issuing the authentication cookie outside of our pipeline or you have registered your own IAuthenticationService in the DI system. What's your ConfigureServices and Configure look like?
brockallen
on 2 Dec 2017
Any update?
brockallen
on 5 Dec 2017
I think it might be my bad. We're switching to OAuth2.0 at work and we temporarily have to manage two user database. I think that on partial user migration i deleted some persisted grants witch caused this error.
I did not register my own IAuthenticationService
Here is a copy/paste ConfigureServices and Configure:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
app.UseBrowserLink();
app.UseWebpackDevMiddleware(new WebpackDevMiddlewareOptions
{
HotModuleReplacement = true
});
}
else
{
app.UseExceptionHandler("/error");
app.Use(async (context, next) =>
{
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
KnownNetworks =
{
new IPNetwork(IPAddress.Any, 0)
}
});
}
app.UseStaticFiles();
app.UseSession();
// app.UseAuthentication();
app.UseIdentityServer();
app.Map("/api", api =>
{
api.UseCors("allowAnyOrigin");
api.UseMvc(routes =>
{
routes.MapRoute(
name: "api",
template: "../RestApi/Controllers/{controller}/{action}/{id?}");
});
});
app.Map("/backend", backend =>
{
backend.UseCors("localOriginOnly");
backend.UseMvc(routes =>
{
routes.MapRoute(
name: "backend",
template: "../Backend/Controllers/{controller}/{action}/{id?}");
});
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
routes.MapSpaFallbackRoute(
name: "spa-fallback",
defaults: new { controller = "Home", action = "Index" });
});
}
public void ConfigureServices(IServiceCollection services)
{
var connectionString = Configuration.GetConnectionString("DefaultConnection");
// Add framework services.
services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(connectionString));
services.ConfigureApplicationCookie(opt =>
{
// opt.Cookie.
opt.LoginPath = new PathString("/account/login");
opt.Events = new CookieAuthenticationEvents
{
OnRedirectToLogin = context =>
{
if (!context.Request.PathBase.StartsWithSegments("/api"))
{
context.Response.Redirect(context.RedirectUri);
}
return Task.CompletedTask;
}
};
});
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
options.Password.RequireDigit = false;
options.Password.RequireLowercase = false;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
options.User.RequireUniqueEmail = true;
options.Lockout.MaxFailedAccessAttempts = 15;
}).AddEntityFrameworkStores<ApplicationDbContext>().AddDefaultTokenProviders();
services.AddCors(options =>
{
options.AddPolicy("allowAnyOrigin", policy =>
{
policy.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
options.AddPolicy("localOriginOnly", policy =>
{
policy.WithOrigins(Configuration.GetSection("Identity").GetSection("Url").Value)
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
services.AddMvc().AddJsonOptions(options =>
{
options.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
options.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
});
services.AddMemoryCache();
services.AddSession(options =>
{
options.Cookie.HttpOnly = false;
});
// Registering injectable options from Appsettings.json
services.Configure<MailingServiceOptions>(Configuration.GetSection("MailingService"));
services.Configure<LocationServiceOptions>(Configuration.GetSection("LocationService"));
services.Configure<Options.IdentityOptions>(Configuration.GetSection("Identity"));
services.Configure<ClientOptions>(Configuration.GetSection("Client"));
// Registering injectable services
services.AddScoped<ImpersonateService, ImpersonateService>();
services.AddScoped<AuthorizationService, AuthorizationService>();
services.AddScoped<AuthTokenManager, AuthTokenManager>();
services.AddScoped<MailingService, MailingService>();
services.AddScoped<IUserClaimsPrincipalFactory<ApplicationUser>, AppClaimsPrincipalFactory>();
services.AddScoped<RequestAdapter, RequestAdapter>();
services.AddScoped<CachingService, CachingService>();
services.AddSingleton<LocationService, LocationService>();
services.AddSingleton<IPasswordHasher<ApplicationUser>, SQLPasswordHasher>(); // Only 1 instance - DL
services.AddSingleton<AuthHttpService, AuthHttpService>(); // Only 1 instance - DL
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
var identityServerBuilder = services.AddIdentityServer(options =>
{
options.IssuerUri = Configuration.GetSection("Identity").GetSection("Url").Value;
options.UserInteraction.LoginUrl = "/account/login";
})
.AddConfigurationStore(storeOptions => storeOptions.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, options => options.MigrationsAssembly(migrationsAssembly)))
.AddOperationalStore(storeOptions =>
{
storeOptions.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, options => options.MigrationsAssembly(migrationsAssembly));
})
.AddAspNetIdentity<ApplicationUser>()
.AddRedirectUriValidator<RedirectUriValidator>()
.AddCorsPolicyService<CorsPolicyService>()
.AddProfileService<ProfileService>();
if (_env.IsDevelopment())
{
identityServerBuilder.AddDeveloperSigningCredential();
}
else
{
services.AddApplicationInsightsTelemetry(Configuration);
var certPath = Configuration.GetSection("Identity").GetSection("Certificate").GetSection("Path").Value;
var certPassword = Configuration.GetSection("Identity").GetSection("Certificate").GetSection("Password").Value;
var certificate = new X509Certificate2(certPath, certPassword);
identityServerBuilder.AddSigningCredential(certificate);
services.AddDataProtection()
.SetApplicationName("identity-service")
.PersistKeysToFileSystem(new DirectoryInfo(Configuration.GetSection("Identity").GetSection("MachineKeyPath").Value));
}
services.AddAuthentication()
.AddIdentityServerAuthentication(options =>
{
var appUrl = $"{Configuration.GetSection("Identity").GetSection("Url").Value}";
options.Authority = appUrl;
options.RequireHttpsMetadata = appUrl.StartsWith("https");
options.ApiName = "oidc-management-api";
});
}
Thanks for your support.
lacroixdavid1
on 5 Dec 2017
That all looks very busy to me, so I don't know what I can help with.
brockallen
on 5 Dec 2017
I am pretty sure it's all about persisted grant. Error didn't happen in the four past days.
lacroixdavid1
on 5 Dec 2017
I have got a bunch of these too after upgrade to ASP.NET Core 2 and IdentityServer 2.0.2. I also have not registered my own IAuthenticationService.
Here is my configureservices and configure
public IServiceProvider ConfigureServices(IServiceCollection services)
{
services.Configure<XXXXXOptions>(_configuration.GetSection(XXXXXOptions.SectionName));
services.AddXXXXXCookieAuthentication(_loggerFactory);
services.AddMvc().AddControllersAsServices();
services.AddCors();
services.AddMemoryCache();
services.ConfigureDataProtection(_configuration);
services.ConfigureForwardedHeaderOptions();
services.ConfigureIdentityServer(_environment, _configuration);
services.ConfigureMvc(_environment);
var containerBuilder = new ContainerBuilder();
containerBuilder.RegisterOptions(_configuration, _environment);
containerBuilder.RegisterXXXXTypes();
containerBuilder.RegisterXXXXTypes();
containerBuilder.Populate(services);
_container = containerBuilder.Build();
return new AutofacServiceProvider(_container);
}
public void Configure(IApplicationBuilder app)
{
if (_environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
app.UseExceptionHandler("/error");
}
app.UseStatusCodePagesWithRedirects("/error/{0}");
app.UseIdentityServer();
app.UseStaticFiles();
app.UseMvcWithDefaultRoute();
var appLifetime = _container.Resolve<IApplicationLifetime>();
appLifetime.ApplicationStopped.Register(() => _container.Dispose());
}
jkmu
on 6 Dec 2017
Glad to know i'm not alone with this issue.
lacroixdavid1
on 7 Dec 2017
Sorry, but I still need an exact repo from one or both of you so I can confirm it's a problem and fix it.
brockallen
on 7 Dec 2017
Any update on getting an exact repro?
brockallen
on 11 Dec 2017
Issue didn't happen again. Feel free to close issue.
lacroixdavid1
on 11 Dec 2017
Hi. It looks like I'm still getting this error. I'm using IdentityServer4 v. 2.0.2. It has started on December 4, after upgrading to .net core 2.0. My log looks like that
Check session endpoint enabled, but SessionId is missing
{
"ClientId": "XXX",
"ClientName": "XXX",
"RedirectUri": "XXX",
"AllowedRedirectUris": [
"XXX"
],
"SubjectId": "XXX",
"ResponseType": "code id_token",
"ResponseMode": "form_post",
"GrantType": "hybrid",
"RequestedScopes": "openid userprofile offline_access",
"State": "XXX",
"Nonce": "XXX",
"Raw": {
"client_id": "XXX",
"response_type": "code id_token",
"scope": "openid userprofile offline_access",
"redirect_uri": "XXX",
"state": "XXX",
"nonce": "XXX",
"response_mode": "form_post",
"_ga": "XXX",
"_gac": "XXX"
}
}
Any ideas what can I do? App seems to work normally, but I still get errors in log.
grzechu01
on 19 Dec 2017
You will have to track down what is re-issuing the cookie and neglecting to copy over the existing session id claim. ASP.NET Identity does this if you don't do something like this: https://github.com/IdentityServer/IdentityServer4.AspNetIdentity/blob/dev/src/IdentityServer4.AspNetIdentity/IdentityServerBuilderExtensions.cs#L42
brockallen
on 22 Dec 2017
This is happening to me, and I think the cause is that when a user is trying to login with the cookies generated before the migration to IdentityServer4 v2, the idsrv.session cookie is missed. Is there a way to refresh the user cookies when this happens?
yosbeleg89
on 23 Jan 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 13 Jan 2020
Related issues
user1336
路
3Comments
Aravind1729
路
3Comments
osudude
路
3Comments
mackie1001
路
3Comments
ekarlso
路
3Comments