Identityserver4: Getting Correlation Failure whenever returning from authorizing against an external provider
I am attempting to set up external authorization against OpenID endpoints for Azure AD B2c and IDPee. In both cases I can navigate to the the appropriate login pages from Identity Server login page but on return I get Correlation Failure.
I've tried various googled suggestions to fix the issue but none will so wasn't sure what to try next or if it was a bug.
This is a sample of the B2C registration I am using
.AddOpenIdConnect("AADB2C", "AAD B2C (adrian.test)", options =>
{
options.MetadataAddress = String.Format(aadInstance, aadTenant, aadDefaultPolicy);
options.ClientId = aadClientId;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
};
options.RemoteAuthenticationTimeout = TimeSpan.FromMinutes(1020);
});
and this is the main setup
services.AddIdentityServer()
.AddCertificateFromFile()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddCustomUserStore();
This is the relevant bit from the IS server log. When logging in using a local login against my custom user store everything succeeds and is working correctly. It is only the process of logging in against an external provider that is causing issues.
Hopefully someone can suggest something to resolve this correlation error. I have already tried a number of googled suggestions including setting the SignInScheme with no luck.
2018-02-28 15:35:10.677 +00:00 [INF] AuthenticationScheme: AADB2C was challenged.
2018-02-28 15:35:13.010 +00:00 [WRN] .AspNetCore.Correlation. state property not found.
2018-02-28 15:35:13.011 +00:00 [INF] Error from RemoteAuthentication: Correlation failed..
2018-02-28 15:35:13.013 +00:00 [ERR] An unhandled exception has occurred while executing the request
System.Exception: Correlation failed.
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Hosting.BaseUrlMiddleware.
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.
adrian-heath
All 10 comments
This is really a question for Microsoft since it is their authentication handler. But I have seen similar problems when you have more than one OIDC handler in DI and you don't set a unique callback path for each of them.
leastprivilege
on 6 Mar 2018
Thanks. I removed all but 1 provider and still get a correlation error.
Is there an easy way to setup IdentityServer to support a different callback path for each provider. Currently it is just set to Login2/signin-oidc. Login2 is where Identity Server is hosted.
adrian-heath
on 6 Mar 2018
That's not an IdentityServer configuration - it's all done in the authentication handler.
Try setting up your handler in a plain asp.net core app without IdentityServer - once this is working, copy it over.
leastprivilege
on 7 Mar 2018
Is there any update or some related issue? I'm getting the same problem.
OscarCanek
on 16 Apr 2018
I am having the same error. ".AspNetCore.Correlation. state property not found". It does not happen all the time, but when it does none of our customers can login and the page is stuck at "/signin-oidc". The only way out is to recycle app pool. We do not have multiple OIDC handlers configured.
I have noticed that the version of the OIDC middleware has been upgraded to 2.0.3, so it might be worth trying that approach to see if it fixes the intermittent errors.
davdev82
on 18 Apr 2018
Hey, is there any update on the issue yet? We are facing the same problem.
frankyvij
on 4 May 2018
Same here, any update?
Leanwit
on 15 Jun 2018
@frankyvij @Leanwit @adrian-heath @OscarCanek Does anyone have a solution? i have the same problem.
Shomlings
on 25 Jun 2018
Hi @shomlings.
Yes, I resolved my problem. You can check my specific problem and how I resolved in https://github.com/okta/okta-sdk-dotnet/issues/206.
"My site in stage environment it's a http site but resolve https in amazon web server so okta has got http request uri when it's a https externally."
I hope it helps
Leanwit
on 25 Jun 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 13 Jan 2020
Related issues
leksim
路
3Comments
not-good-with-usernames
路
3Comments
user1336
路
3Comments
wangkanai
路
3Comments
leastprivilege
路
3Comments
Most helpful comment
This is really a question for Microsoft since it is their authentication handler. But I have seen similar problems when you have more than one OIDC handler in DI and you don't set a unique callback path for each of them.