aspnetcore Unclear how to catch "System.Exception: Correlation failed." and prevent HTTP 500

Is there an existing issue for this?

[X] I have searched the existing issues

Describe the bug

This appears to be an issue with ASP.NET RemoteAuthenticationHandler. When this exception is thrown due to this line in the OpenIdConnectHandler ("Correlation failed."), we end up returning an HTTP 500 error because that exception is not caught. It's not obvious how it can be caught.

Expected Behavior

We expect there to be some way to catch that exception so we can redirect to an error page rather than returning an HTTP 500. We're interested in what the recommended ASP.NET approach is to catching and handling this particular exception.

Steps To Reproduce

Unclear, we suspect our users are hitting the back/forward button on our login page or otherwise allowing the cookie to time out, then trying to log in which causes the "Correlation failed." exception.

Exceptions (if any)

System.Exception: An error was encountered while handling the remote login.
---> System.Exception: Correlation failed.
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 52
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 48
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 28
at <... our code from here on>

.NET Version

6.0.403

Anything else?

Package versions:
- Microsoft.AspNetCore.Authentication.OpenIdConnect version 6.0.8
Possibly relevant discussions that other people have had around the same issue circa 2018 with workarounds
- https://github.com/IdentityServer/IdentityServer4/issues/720
- https://github.com/aspnet/Security/issues/1755

Dec 15 '22 23:12 MostlyArmless

Triage: Although unrelated to the issue, we discussed making a strongly-typed Exception type to be returned from the codepath identified above. This would allow end-users to catch this specific exception time in middlewares.

Unfortunately, to workaround this at the moment, you'd have to add some additional logic to unwrap the target exception in your own middleware to redirect to an error page.

We think it's a good idea to create a more specific exception type though. Would you be interested in submitting an API proposal to add the new Exception type?

Jan 03 '23 23:01 captainsafia

Thanks for contacting us.

We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

Jan 03 '23 23:01 ghost

We recently upgraded our application from ASP.Net.Core 2.2 to .Net 6 and we are facing the same issue. We are getting "ERR_TOO_MANY_REDIRECTS", the only exception we see in our logging is the following. As @MostlyArmless stated, we also think the users are hitting the back/forward button on our login page or one of the cookies is missing.

System.Exception: An error was encountered while handling the remote login. ---> System.Exception: Correlation failed. --- End of inner exception stack trace --- at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)

Jan 06 '23 14:01 pathmanshakir

Confirmed this can be reliably reproduced by waiting on the IdP's login page (e.g. "sign in with google", see image below) for >15 minutes and then trying to complete the login. You can follow this suggestion to decrease the remote authentication timeout to 10 seconds for testing purposes.

Jan 12 '23 23:01 MostlyArmless

This is indeed a very annoying issue for us since it gives a very bad user experience in these cases. It is the cause of https://github.com/DuendeSoftware/Support/issues/146. It can be reproduced by waiting e.g. 30 minutes on the login page or navigating back.

It would help a lot if it was a typed Exception. We can then handle it in the middleware or like this by checking the type instead of the exception description:

                .AddOpenIdConnect("oidc", options =>
                {
                    ...

                    options.Events = new OpenIdConnectEvents()
                    {
                         OnRemoteFailure = (ctx) =>
                         {
                             if (ctx.Failure?.Message == "Correlation failed.")
                             {
                                 ctx.Response.Redirect("/yourpage");
                                 ctx.HandleResponse();
                             }

                             return Task.CompletedTask;
                         },
                    };
                });