Identityserver4: External OpenIdConnect providers don't work with ASP.NET Identity
Issue / Steps to reproduce the problem
Start with QuickStart 8_AspNetIdentity. Add the following:
.AddOpenIdConnect("oidc", "OpenID Connect", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = "https://demo.identityserver.io/";
options.ClientId = "implicit";
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
};
});
Run IdentityServerAspNetIdentity and JavaScriptClient, click login, then click the OpenID Connect button to login via demo site, input bob/bob as username/password and select yes to all the prompts.
Callback fails.
Relevant parts of the log file
2019-02-22 09:49:51.137 -06:00 [DBG] Start authorize request
2019-02-22 09:49:51.138 -06:00 [DBG] No user present in authorize request
2019-02-22 09:49:51.138 -06:00 [DBG] Start authorize request protocol validation
2019-02-22 09:49:51.139 -06:00 [DBG] client configuration validation for client js succeeded.
2019-02-22 09:49:51.139 -06:00 [DBG] Checking for PKCE parameters
2019-02-22 09:49:51.139 -06:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-02-22 09:49:51.139 -06:00 [INF] ValidatedAuthorizeRequest
{"ClientId":"js","ClientName":"JavaScript Client","RedirectUri":"http://localhost:5003/callback.html","AllowedRedirectUris":["http://localhost:5003/callback.html"],"SubjectId":"anonymous","ResponseType":"code","ResponseMode":"query","GrantType":"authorization_code","RequestedScopes":"openid profile api1","State":"5f749b7ac07b44f1ae24221f05f2ddd5","UiLocales":null,"Nonce":null,"AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":null,"MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"js","redirect_uri":"http://localhost:5003/callback.html","response_type":"code","scope":"openid profile api1","state":"5f749b7ac07b44f1ae24221f05f2ddd5","code_challenge":"JuGTqZfodiLn32mwI-92e5J8UK_tncEJTjKU-CJlQqY","code_challenge_method":"S256"},"$type":"AuthorizeRequestValidationLog"}
2019-02-22 09:49:51.139 -06:00 [INF] Showing login: User is not authenticated
2019-02-22 09:49:51.163 -06:00 [DBG] Start authorize request protocol validation
2019-02-22 09:49:51.163 -06:00 [DBG] client configuration validation for client js succeeded.
2019-02-22 09:49:51.164 -06:00 [DBG] Checking for PKCE parameters
2019-02-22 09:49:51.164 -06:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-02-22 09:49:51.169 -06:00 [DBG] client configuration validation for client js succeeded.
2019-02-22 09:49:54.564 -06:00 [INF] AuthenticationScheme: oidc was challenged.
2019-02-22 09:50:06.252 -06:00 [DBG] CORS request made for path: /signin-oidc from origin: null but was ignored because path was not for an allowed IdentityServer CORS endpoint
2019-02-22 09:50:06.281 -06:00 [INF] AuthenticationScheme: idsrv.external signed in.
2019-02-22 09:50:06.339 -06:00 [ERR] An unhandled exception has occurred while executing the request.
System.Exception: External authentication error
at Host.Quickstart.Account.ExternalController.Callback() in D:\Dev\8_AspNetIdentity\src\IdentityServerAspNetIdentity\Quickstart\Account\ExternalController.cs:line 96
at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at System.Threading.Tasks.ValueTask`1.get_Result()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) in C:\local\identity\server4\IdentityServer4\src\Hosting\IdentityServerMiddleware.cs:line 72
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\Hosting\BaseUrlMiddleware.cs:line 36
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
mschoneman
All 4 comments
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
I'm going to guess that's the wrong scheme.
brockallen
on 24 Feb 2019
You are, of course, right. I've got it working now. Thanks for the help.
I've looked over the docs again, but I can't seem to find something that explains why when not using ASP.NET Identity you would use the IdentityServer4 ExternalCookieAuthenticationScheme but when you are using ASP.NET Identity you should use the ASP.NET Identity ExternalScheme.
Is it just when you aren't using ASP.NET Identity there isn't a scheme already present so you have to use the one defined by IdentityServer4, but if you are you can just use the built in one?
I'm still trying to wrap my head around this and what to make sure I'm not missing something.
Thanks again!
mschoneman
on 24 Feb 2019
I've looked over the docs again, but I can't seem to find something that explains why when not using ASP.NET Identity you would use the IdentityServer4 ExternalCookieAuthenticationScheme but when you are using ASP.NET Identity you should use the ASP.NET Identity ExternalScheme.
Because IdentityServer registers an external cookie for convenience. If you're also using ASP.NET Identity they do their own as well.
brockallen
on 11 Apr 2019
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 11 Jan 2020
Related issues
eshorgan
路
3Comments
wangkanai
路
3Comments
user1336
路
3Comments
nukec
路
3Comments
not-good-with-usernames
路
3Comments
Most helpful comment
You are, of course, right. I've got it working now. Thanks for the help.
I've looked over the docs again, but I can't seem to find something that explains why when not using ASP.NET Identity you would use the IdentityServer4 ExternalCookieAuthenticationScheme but when you are using ASP.NET Identity you should use the ASP.NET Identity ExternalScheme.
Is it just when you aren't using ASP.NET Identity there isn't a scheme already present so you have to use the one defined by IdentityServer4, but if you are you can just use the built in one?
I'm still trying to wrap my head around this and what to make sure I'm not missing something.
Thanks again!