Need help with implementing authorization code flow app using .NET Core OpenID Connect Library

[solventusllc]

Can the .NET Core OpenID Connect Library be used with the authorization code flow and Aidbox? I've been struggling for a week to implement it, and can get it to the point I receive the code, but then I get the following error:

SecurityTokenException: Unable to validate the 'id_token', no suitable ISecurityTokenValidator was found for: ''."

Here's the Client setup I'm using:

auth:
authorization_code:
redirect_uri: 'https://localhost:44312/signin-oidc'
secret: verysecret
grant_types:

• code
  id: web-app
  resourceType: Client
  meta:
  lastUpdated: '2021-07-09T14:43:13.826665Z'
  createdAt: '2021-07-09T02:26:10.341542Z'
  versionId: '218'

I'm using pretty much boilerplate code for the authorization code flow in .NET Core. Here's my ConfigureServices method:

public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.AddServerSideBlazor();

        // OpenID Connect configuration
        services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
        .AddCookie()
        .AddOpenIdConnect("oidc", options =>
        {
            options.Authority = "https://solventustest.aidbox.app";
            options.ClientId = "web-app";
            options.ClientSecret = "verysecret";
            options.ResponseType = "code";
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuerSigningKey=false,
                ValidateIssuer = false
            };
            
            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;
            
            options.Events = new OpenIdConnectEvents
            {
                // called if user clicks Cancel during login
                OnAccessDenied = context =>
                {
                    context.HandleResponse();
                    context.Response.Redirect("/");
                    return Task.CompletedTask;
                }
            };
        });        }

This same kind of code works great with IdentityServer, and all the big-name OpenID Connect providers I've tried it with, like Google and Facebook.

[solventusllc]

A bit more information if/when someone can help me on this. I compared (using Fiddler) the successful authorization with identityserver with the unsuccessful authorization with aidbox, and found that upon the exchange of the code for a token, identityserver responds with both an access_token value and an id_token value, whereas aidbox only responds with an access_token. If I change the response_type to "id_token" or "code id_token", which shouldn't be necessary for this flow, aidbox responds with:

{"message":"TODO"}

[carbon-hvze]

Hello, we will implement the fix next week.

Can we schedule a call next week to test it together?

What is your availability?

[solventusllc]

Absolutely, and thanks for the quick action. I'm available most afternoons after 3.

[solventusllc]

Sorry about the delay in getting back to you after our meeting. I've tried the authentication procedure again with the cloud version of Aidbox, and unfortunately, it looks like it's taken a step backwards. I'm now getting the following error after authenticating with Google. [image: image.png] The error code returned according to Fiddler is 422. As discussed, I'll share the code of my basic app for testing OIDC connectivity on GitHub later today. But do you have any ideas about this in the meantime? Best regards, Ken Miller Solventus LLC USA: (305) 349 3493 Canada: (416) 887 8534

…

On Tue, 13 Jul 2021 at 06:02, Zallin ***@***.***> wrote: Hello, we will implement the fix next week. Can we schedule a call next week to test it together? What is your availability? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#398 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANBJ3SRRAIBMA5SU3HQKQI3TXQFMHANCNFSM5AC5B5SA> .

[Nesmeshnoy]

Hi @solventusllc, any chance you could update the pic, you've attached?

[solventusllc]

Do you mean you couldn't see the pic embedded in the email? Here it is as an attachment. It simply says "client_id is required". Ken Miller Solventus LLC USA: (305) 349 3493 Canada: (416) 887 8534

…

On Mon, 26 Jul 2021 at 10:35, Mikhail Kulakov ***@***.***> wrote: Hi @solventusllc <https://github.com/solventusllc>, any chance you could update the pic, you've attached? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#398 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANBJ3SUINL7HETXOWAFNQS3TZVXCJANCNFSM5AC5B5SA> .

[solventusllc]

I noticed I'm getting the same error using the Auth Sandbox with the Authorization Code flow. Perhaps it is a bug introduced in the last update? Ken Miller Solventus LLC www.solventus.com USA: (305) 349 3493 Canada: (416) 887 8534

…

On Mon, 26 Jul 2021 at 12:07, Ken Miller ***@***.***> wrote: Do you mean you couldn't see the pic embedded in the email? Here it is as an attachment. It simply says "client_id is required". Ken Miller Solventus LLC USA: (305) 349 3493 Canada: (416) 887 8534 On Mon, 26 Jul 2021 at 10:35, Mikhail Kulakov ***@***.***> wrote: > Hi @solventusllc <https://github.com/solventusllc>, any chance you could > update the pic, you've attached? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#398 (comment)>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/ANBJ3SUINL7HETXOWAFNQS3TZVXCJANCNFSM5AC5B5SA> > . >

[Nesmeshnoy]

the update is available on cloud. @solventusllc could you please try again?

[solventusllc]

Thanks very much. No time today, but I'll try over the weekend or early next week at the latest, and report back to you.

…

On Fri, 30 Jul 2021 at 05:24, Mikhail Kulakov ***@***.***> wrote: the update is available on cloud. @solventusllc <https://github.com/solventusllc> could you please try again? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#398 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANBJ3SUPYQIJALPGPL7ITQLT2JVUJANCNFSM5AC5B5SA> .