Identityserver4: idp claim is missing

Created on 15 Dec 2017 · 17Comments · Source: IdentityServer/IdentityServer4

[x] I read and understood how to enable logging

Issue / Steps to reproduce the problem

Version: 2.0.4
Reproduce:

Signin the mainpage of the client portal with oidc.
Stay at mainpage until the token is expired.
Refresh the mainpage.

Expected: Redirect to the login page.
Actual: Exception page.

Relevant parts of the log file

 "Message": "idp claim is missing",
        "ActivityId": "0HLA3C9OK7NCQ:00000001",
        "TimeStamp": "2017-12-15T02:20:54Z",
        "ProcessId": 17220,
        "LocalIpAddress": "::1:5000",
        "RemoteIpAddress": "::1"
      }
crit: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Unhandled exception: System.InvalidOperationException: idp claim is missing
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.<ProcessLoginAsync>d__6.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.<ProcessInteractionAsync>d__5.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at IdentityServer4.Endpoints.AuthorizeEndpointBase.<ProcessAuthorizeRequestAsync>d__14.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at IdentityServer4.Endpoints.AuthorizeEndpoint.<ProcessAsync>d__1.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at IdentityServer4.Hosting.IdentityServerMiddleware.<Invoke>d__3.MoveNext()
crit: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Unhandled exception: System.InvalidOperationException: idp claim is missing
         at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.<ProcessLoginAsync>d__6.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.<ProcessInteractionAsync>d__5.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at IdentityServer4.Endpoints.AuthorizeEndpointBase.<ProcessAuthorizeRequestAsync>d__14.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at IdentityServer4.Endpoints.AuthorizeEndpoint.<ProcessAsync>d__1.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at IdentityServer4.Hosting.IdentityServerMiddleware.<Invoke>d__3.MoveNext()
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[0]
      An unhandled exception has occurred while executing the request
System.InvalidOperationException: idp claim is missing
   at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity)
   at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.<ProcessLoginAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator.<ProcessInteractionAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Endpoints.AuthorizeEndpointBase.<ProcessAuthorizeRequestAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Endpoints.AuthorizeEndpoint.<ProcessAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Hosting.IdentityServerMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at IdentityServer4.Hosting.IdentityServerMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.<Invoke>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.<Invoke>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Hosting.BaseUrlMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.<Invoke>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.<Invoke>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.<Invoke>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware.<Invoke>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.<Invoke>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.<Invoke>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.<Invoke>d__7.MoveNext()
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[0]
      An unhandled exception has occurred while executing the request

bug report core investigating

Source

atpyk

All 17 comments

Signin the mainpage of the client portal with oidc.

What is "client portal"? A client of IdentityServer?

Stay at mainpage until the token is expired.

Which token?

Can you reproduce these problems with our sample or quickstarts applications? That would allow us to reproduce the error and find out what the problem is.

brockallen on 15 Dec 2017

Yes, it's a client of IdSvr.
Tokens are id token and access token.

The client portal uses the "oidc-client.js" according to the official sample.

More logs related sign in:
dbug: IdentityServer4.Validation.TokenValidator[0]
Token validation success
{
"ValidateLifetime": true,
"AccessTokenType": "Jwt",
"ExpectedScope": "openid",
"Claims": {
"nbf": 1513307012,
"exp": 1513307062,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"basicinfo"
],
"client_id": "",
"sub": "10e53c52-ae5f-4f11-98e5-23917662cc66",
"auth_time": 1513307011,
"idp": "local",
"email": "",
"name": "",
"role": "*",
"scope": [
"openid",
"profile",
"basicinfo",
"offline_access"
],
"amr": "pwd"
}
}

atpyk on 15 Dec 2017

For debugging easliy, I've set the tokens lifetime to 50s:

RefreshTokenExpiration = TokenExpiration.Absolute,
AbsoluteRefreshTokenLifetime = 10,
IdentityTokenLifetime = 50,
AccessTokenLifetime = 50,

And at client side, I set the clockkrew to 0s.

atpyk on 15 Dec 2017

Gawd - these exception messages are hard to read -

@brockallen it seems to happen in the AuthorizeResponseInteractionGenerator line 160

// check current idp
var currentIdp = request.Subject.GetIdentityProvider();

The question is - why is there no idp claim?!

@atpyk can you pull in the latest quickstart UI - especially the diagnostics controller and view

https://github.com/IdentityServer/IdentityServer4.Quickstart.UI

Then navigate to /diagnostics and inspect the contents of the authentication cookie - is there an idp claim? If no - how do you issue the authentication cookie?

leastprivilege on 17 Dec 2017

@atpyk can you pull in the latest quickstart UI - especially the diagnostics controller and view

Yes, please do this. If you can't help us reproduce this, then we won't be able to fix it.

brockallen on 18 Dec 2017

Okay, I will try it.

But I have a question about the logic of cookie validation. If there is no idp claim in cookie, why did you throw exception, not redirect to login page directly; If the cookie lose some infos, issue a new one, I think it does make sense.

atpyk on 18 Dec 2017

This is the infos that was shown on diagnostics page when I signin successfully. The idp is 'local'.

Authentication cookie
Claims
sub
10e53c52-ae5f-4f11-98e5-23917662cc66
name
kirsten1
auth_time
1513563373
AspNet.Identity.SecurityStamp
841a873b-f357-43b6-a048-9ff62da4a2e5
role
Parent
idp
local
amr
pwd
Properties
session_id
8b0456398b6e7bd7c2f410280d4c1ddf
.issued
Mon, 18 Dec 2017 02:16:13 GMT
.expires
Mon, 01 Jan 2018 02:16:13 GMT
client_list
WyJncmFwZXNlZWQucGFyZW50LndlYiJd

Following infos that was shown on diagnostics page when the exception happened. There is no idp claim.

Authentication cookie
Claims
sub
10e53c52-ae5f-4f11-98e5-23917662cc66
name
kirsten1
AspNet.Identity.SecurityStamp
841a873b-f357-43b6-a048-9ff62da4a2e5
role
Parent
Properties
session_id
8b0456398b6e7bd7c2f410280d4c1ddf
.issued
Mon, 18 Dec 2017 02:57:59 GMT
.expires
Mon, 01 Jan 2018 02:57:59 GMT
client_list
WyJncmFwZXNlZWQucGFyZW50LndlYiJd

atpyk on 18 Dec 2017

I use the oidc-client-js, not the Microsoft oidc.

I've verified this issue by using Microsoft oidc, there is no issue raised.
But once I manually delete the cookie that is generated by Microsoft MVCClient (the cookie's default name is ".AspNetCore.Cookies") if I waiting for several minutes, and then refresh the page, the same exception happened.

atpyk on 18 Dec 2017

I've debug the Idsvr code, the version is 2.0.4

DefaultUserSession-> AuthenticateAsync -> line 82:

 var result = await handler.AuthenticateAsync();

this method does not return the idp claim.

The cookie "Identity.Application" size is changed, from 784 bytes to 699 bytes
Who does modify the cookie?

atpyk on 18 Dec 2017

Are you configuring SecurityStampValidatorOptions in any way?

Can you show your entire ConfigureServices from _Startup.cs_?

brockallen on 18 Dec 2017

My suspicion is that somehow ASP.NET Identity is issuing a new cookie and dropping the important claims. And I think it's related to OnRefreshingPrincipal event.

brockallen on 18 Dec 2017

I add the code that is from your IdentityServer4.AspNetIdentity:

            builder.Services.Configure<SecurityStampValidatorOptions>(opts =>
            {
                opts.OnRefreshingPrincipal = SecurityStampValidatorCallback.UpdatePrincipal;
            });


        public static Task UpdatePrincipal(SecurityStampRefreshingPrincipalContext context)
        {
            var newClaimTypes = context.NewPrincipal.Claims.Select(x=>x.Type).ToArray();
            var currentClaimsToKeep = context.CurrentPrincipal.Claims.Where(x => !newClaimTypes.Contains(x.Type)).ToArray();

            var id = context.NewPrincipal.Identities.First();
            id.AddClaims(currentClaimsToKeep);

            return Task.FromResult(0);
        }

the issue fixed.

Many thanks! @brockallen & @leastprivilege
👍

atpyk on 19 Dec 2017

👍1

Glad to hear you figured it out.

brockallen on 19 Dec 2017

@atpyk, sorry for my limits, but I'm into this issue too. Can you explain in more details what have you done to solve this problem?
Many thanks

gartak on 13 Feb 2018

👍1

Just as a follow on note here about this issue. This error happens when you don't have the main authentication cookie scheme set as the default sign-in scheme in ASP.NET Core. This is usually the case when you use ASP.NET Identity, because it internally set the sign in scheme to be the external authentication cookie scheme.

brockallen on 28 Jul 2018

I have happened to see a missing claim (client_Id) in IIdentity that are in token. Then I found its because the default authentication scheme is cookies and reading the data from cookie. After I set the

[Authorize(AuthenticationSchemes = "Bearer", Policy = "RequiredPolicy")]

I see all the claims from the access_token.

Sounds a bit silly but hope it helps some one coming from the same trap.