AspNetKatana icon indicating copy to clipboard operation
AspNetKatana copied to clipboard

Published 20 hours ago verified publisher icon aspnet

OpenIdConnectProtocolValidator cannot validate state

Open DevJasperNL opened this issue 1 year ago • 4 comments
trafficstars

We are currently in the process of hardening our OIDC implementation. As part of this, we want state to be validated.

However, after enabling RequireState and RequireStateValidation, we get an exception: Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidStateException: 'IDX21329: RequireState is 'True' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.'

After further investiation, I see that inside the OpenIdConnectProtocolValidator, OpenIdConnectProtocolValidationContext.State remains null.

When looking into where this is created, it seems that State is never set on this context: https://github.com/aspnet/AspNetKatana/blob/ab378cfef173dd88c513fc037dec34c6e96b0178/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs#L390

DevJasperNL avatar Nov 28 '23 10:11 DevJasperNL

Related ASPNETCORE issue: https://github.com/dotnet/aspnetcore/issues/52400

DevJasperNL avatar Nov 28 '23 10:11 DevJasperNL

I also need to know how to leverage the state, is there any update or expected timeline on this?

Rora avatar Dec 11 '23 10:12 Rora

I am facing the same issue. Can anyone please give an update on this?

RickvF avatar Jan 17 '24 08:01 RickvF

This product is in maintenance mode, feature updates aren't expected. If someone would like to submit a PR then we can at least get this into the nightly builds.

Tratcher avatar Jan 17 '24 20:01 Tratcher