Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Proper handling of the [OpenIdConnectProtocolInvalidNonceException: IDX10316] #1346

Closed
balbelias opened this issue May 11, 2015 · 12 comments
Closed

Proper handling of the [OpenIdConnectProtocolInvalidNonceException: IDX10316] #1346

balbelias opened this issue May 11, 2015 · 12 comments
Labels
invalid

Comments

@balbelias
Copy link

I wonder how to properly handle mentioned exception. It's caused by expired nonce. At present time all pages on my site are only for authenticated users, so when user open site he will be instantly redirected to idsrv. And sometimes he stays on login page for more than hour (default lifetime for nonce). And the exception with not user friendly page shows. The only way for user is to close tab and open again, page refresh would not help.

For now I just set nonce lifetime to 24 hours but I wonder if there is a better solution.

I have also tried catch it in OpenIdConnectAuthenticationNotifications.AuthenticationFailed handler and redirect user to error page. But there the next trouble appears. Inspite of fact that mentioned handler executes, the user seems to be logged in.

I'm attaching fiddler trace for described behaviour, if you need it.
https://www.dropbox.com/s/lf7mkgz56rp2kso/trace.saz?dl=0

Thanks in advance.
@leastprivilege
Copy link
Member

Microsoft issue.

@balbelias
Copy link
Author

Ok, thanks for response. I have submited an issue to their tracker.
https://katanaproject.codeplex.com/workitem/408

@firasr
Copy link

firasr commented Mar 21, 2016

@balbelias how did you set nonce lifetime to 24 hours?

@balbelias
Copy link
Author

@firasr, In your Startup.cs use next line of code:
options.ProtocolValidator.NonceLifetime = new TimeSpan(1, 0, 0, 0);
Where options is OpenIdConnectAuthenticationOptions

@firasr
Copy link

firasr commented Mar 22, 2016

Where that options should come from?
On Mar 22, 2016 8:05 PM, "Ilya" notifications@github.com wrote:

In your Startup.cs use next line of code:
options.ProtocolValidator.NonceLifetime = new TimeSpan(1, 0, 0, 0);
Where "options" is OpenIdConnectAuthenticationOptions


You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#1346 (comment)

@balbelias
Copy link
Author

@firasr , take a look at this example.

https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/MVC%20Authentication/EmbeddedMvc/Startup.cs#L63

@danutzplusplus
Copy link

danutzplusplus commented Apr 16, 2016
edited
Loading

I guess this issue is still alive on the microsoft implementation of the openid middleware?
I see no change on the proposed issue, and it still throws the expired exception, and on a reload of the client it goes back to the IdServer, who's session was setup even though the clients was not, and returns to the client and works fine.

Any ideas on vulnerabilities caused by extending the nonce lifetime beyond the 1 hour default?
Or any other suggestion on how to handle this on the client? I've seen an idea of catching the invalid nonce exception, and just doing a reload to the root path of the client (which will dance the request back to the idserver and back to the client), but that just seems like an ugly hack of a solution. Any thoughts on that?

Thanks.

EDIT:

@jirikavi
Copy link

I handle it in Global.asax.cs file:

   protected void Application_Error(object sender, EventArgs e)
   {
        Exception exception = Server.GetLastError();
        if (exception.Message.StartsWith("IDX10316"))
        {
            new LoggerObj().LogException(exception, LoggerSource.IdentityServer);
            Server.ClearError();
            Response.Redirect("/");
        }
   }

@danutzplusplus
Copy link

Thanks, but that's the solution I was hinting at in my post. I thought somebody else thought about something different.

Seems not. So, that's the one I also went with. With a slight improvement, I think.
I handle this in the AuthenticationFailed notification of the OpenId middleware, not in the global exception handler.

Seems it'll have to do until we get an official improvement (if we even get one).

@tonymowers
Copy link

@danutzplusplus Could you share your AuthenticationFailed notification handler. I'm not sure how to suppress the exception in the handler.

I am using jirikavi's Application_Error solution, but I'd like to understand how to accomplish something similar in the AuthenticationFailed handler.

@danutzplusplus
Copy link

Sure. It's something along the lines of:

AuthenticationFailed = notification =>
{
...
HandleNOnceExpirationWorkaround(notification);
...
}

where HandleNOnceExpirationWorkaround is:
private void HandleNOnceExpirationWorkaround(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
var exception = notification.Exception;
if (exception is OpenIdConnectProtocolInvalidNonceException &&
exception.Message.Contains("IDX10316"))
{
notification.HandleResponse();
notification.Response.Redirect("/");
}
}

Basically, it detects if an exception of that kind and with a certain error code was caught, and performs a redirect to the root domain.

@tonymowers
Copy link

tonymowers commented Jul 25, 2016
edited
Loading

Thanks. The "notification.HandleResponse()' was the missing piece for me.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@leastprivilege @balbelias @tonymowers @jirikavi @firasr @danutzplusplus