-
-
Notifications
You must be signed in to change notification settings - Fork 764
Proper handling of the [OpenIdConnectProtocolInvalidNonceException: IDX10316] #1346
Comments
Microsoft issue. |
Ok, thanks for response. I have submited an issue to their tracker. |
@balbelias how did you set nonce lifetime to 24 hours? |
@firasr, In your Startup.cs use next line of code: |
Where that options should come from?
|
I guess this issue is still alive on the microsoft implementation of the openid middleware? Any ideas on vulnerabilities caused by extending the nonce lifetime beyond the 1 hour default? Thanks. EDIT: |
I handle it in Global.asax.cs file:
|
Thanks, but that's the solution I was hinting at in my post. I thought somebody else thought about something different. Seems not. So, that's the one I also went with. With a slight improvement, I think. Seems it'll have to do until we get an official improvement (if we even get one). |
@danutzplusplus Could you share your AuthenticationFailed notification handler. I'm not sure how to suppress the exception in the handler. I am using jirikavi's Application_Error solution, but I'd like to understand how to accomplish something similar in the AuthenticationFailed handler. |
Sure. It's something along the lines of: AuthenticationFailed = notification => where HandleNOnceExpirationWorkaround is: Basically, it detects if an exception of that kind and with a certain error code was caught, and performs a redirect to the root domain. |
Thanks. The "notification.HandleResponse()' was the missing piece for me. |
I wonder how to properly handle mentioned exception. It's caused by expired nonce. At present time all pages on my site are only for authenticated users, so when user open site he will be instantly redirected to idsrv. And sometimes he stays on login page for more than hour (default lifetime for nonce). And the exception with not user friendly page shows. The only way for user is to close tab and open again, page refresh would not help.
For now I just set nonce lifetime to 24 hours but I wonder if there is a better solution.
I have also tried catch it in OpenIdConnectAuthenticationNotifications.AuthenticationFailed handler and redirect user to error page. But there the next trouble appears. Inspite of fact that mentioned handler executes, the user seems to be logged in.
I'm attaching fiddler trace for described behaviour, if you need it.
https://www.dropbox.com/s/lf7mkgz56rp2kso/trace.saz?dl=0
Thanks in advance.
The text was updated successfully, but these errors were encountered: