aspnetcore icon indicating copy to clipboard operation
aspnetcore copied to clipboard

Published 20 hours ago verified publisher icon dotnet

59462 OIDC par failure

Open bigred8982 opened this issue 6 months ago • 4 comments

Add OIDC event to allow caller to react to OIDC PAR failure during challenge phase

Description

Add new OIDC OnPushAuthorizationFailed, new context for this event, logic to fire event, tests.

Problem

When a validation failure occurs during a PAR request (ex. the request includes an invalid client_id), an OpenIdConnectProtocolException is thrown. This exception bubbles up as an unhandled middleware exception.

Please see issue #59462 for slightly more details.

Goal

We need to give the application the ability to handle the response when a PAR request fails during the challenge phase. Since an exception during the challenge phase bubbles up as a middleware exception, it is difficult for the application to respond. By including a specific OIDC event, the application has the opportunity to redirect the browser to a user-friendly error page.

Example of a web app utilizing this new feature

builder.Services.AddAuthentication(...)
  .AddOpenIdConnect("oidc", options => 
  {
    ...
    options.Events.OnPushAuthorizationFailed = (ctx) => {
        var logger = ctx.HttpContext.RequestServices.GetRequiredService<ILogger<Program>>();
        logger.LogError(ctx.Exception, "Received error while sending PAR request.");
        
        ctx.Response.Redirect("FriendlyErrorPage");
        ctx.Handled = true;
        return Task.CompletedTask;
    };
  });

Fixes #59462

bigred8982 avatar May 14 '25 22:05 bigred8982

@dotnet-policy-service agree company="Tyler Technologies"

bigred8982 avatar May 14 '25 22:05 bigred8982

Would love feedback from @josephdecock

Also, I'm not sure if this should go into main, but I'd like to see it show up in at least the 10.0 release (it's probably too late to get it into 9).

bigred8982 avatar May 14 '25 22:05 bigred8982

If there anything else I need to do process-wise to make this PR ready for review, please let me know. This is my first contribution and I might have accidentally missed a step.

bigred8982 avatar May 22 '25 21:05 bigred8982

/azp run

bigred8982 avatar Jun 24 '25 21:06 bigred8982

Commenter does not have sufficient privileges for PR 61947 in repo dotnet/aspnetcore

azure-pipelines[bot] avatar Jun 24 '25 21:06 azure-pipelines[bot]

Sorry for a hugely delayed response on this thread!

I really like this idea and the PR. It's good that if the error isn't handled, the exception still bubbles up, but if you want to handle it you can. I think this approach of a separate event for pushed authorization is also the best thing to do, because the existing AuthenticationFailed event would happen at a very different point in the protocol interaction. All in all, I think this is a great improvement, and I hope it lands in .NET 10.

josephdecock avatar Sep 04 '25 03:09 josephdecock

@halter73 Got feedback and a thumbs up from an expert! Is there anything I can do on my end to help get this through?

bigred8982 avatar Sep 04 '25 14:09 bigred8982