New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.AspNetCore.Correlation. state property not found #1732

Closed
davdev82 opened this Issue Apr 18, 2018 · 19 comments

Comments

Projects
None yet
9 participants
@davdev82

davdev82 commented Apr 18, 2018

I am having errors. ".AspNetCore.Correlation. state property not found" within OIDC Handler. It does not happen all the time, but when it does none of our customers can login and the page is stuck at "/signin-oidc". The only way out is to recycle app pool. We do not have multiple OIDC handlers configured.

I have noticed that the version of the OIDC middleware has been upgraded to 2.0.3, so it might be worth trying that approach to see if it fixes the intermittent errors. But can anyone point out what has been released as part of 2.0.3

@Tratcher

This comment has been minimized.

Member

Tratcher commented Apr 18, 2018

Don't expect any changes here between 2.0 and 2.0.3. It's very suspicious that everybody would get the error at the same time. It might be a data protection error, possibly a bad key rollover. Does anything show up in the application logs?

@davdev82

This comment has been minimized.

davdev82 commented Apr 18, 2018

2018-04-11 13:28:23.175 +01:00 [WRN] .AspNetCore.Correlation. state property not found.
2018-04-11 13:28:23.175 +01:00 [INF] Error from RemoteAuthentication: Correlation failed..
2018-04-11 13:28:23.175 +01:00 [ERR] An unhandled exception has occurred: Correlation failed.
System.Exception: Correlation failed.
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.<HandleRequestAsync>d__12.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Swashbuckle.SwaggerUi.Application.SwaggerUiMiddleware.d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Swashbuckle.SwaggerUi.Application.RedirectMiddleware.d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Swashbuckle.Swagger.Application.SwaggerMiddleware.d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.d__6.MoveNext()

@davdev82

This comment has been minimized.

davdev82 commented Apr 18, 2018

Looking at the code of the OpenIdConnectHandler, it seems odd that the unprotect of the AuthenticationProperties from the "state" query params succeed. I am saying that because in the source code, the check to see if the properties == null happens before the check of the CorrelationId within the AuthenticationProperties collection. And it is during this check that the code fails. BUT AuthenticationProperties was unprotected as it returned a non null value. if the unprotection would have failed then the try catch handler returns a default(AuthenticationProperties ) which is NULL and therefore would have failed before the check of Correlation param within AuthenticationProperty

@Tratcher

This comment has been minimized.

Member

Tratcher commented Apr 18, 2018

That's odd. Have you customized the OIDC settings at all?

@davdev82

This comment has been minimized.

davdev82 commented Apr 18, 2018

I have followed what the documentation says, and the fact is it works. But when it does not it throws the ASP.Net Core State Property not found error. There have been other users facing the same issue

IdentityServer/IdentityServer4#2115

@davdev82

This comment has been minimized.

davdev82 commented Apr 18, 2018

I have posted my query there as well just to see if anyone has an answer

@davdev82

This comment has been minimized.

davdev82 commented Apr 18, 2018

services.AddAuthentication(options =>
                {
                    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                })
                .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
                {
                    options.SlidingExpiration = false;
                    options.ExpireTimeSpan = TimeSpan.FromHours(2);
                })
                .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
                {
                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.Authority = _configuration.GetValue<string>("auth:oidc:authority");
                    options.ClientId = _configuration.GetValue<string>("auth:oidc:clientId");
                    options.ClientSecret = _configuration.GetValue<string>("auth:oidc:clientSecret");
                    options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
                    options.ResponseType = OpenIdConnectResponseType.Code;
                    options.SaveTokens = true;
                    options.GetClaimsFromUserInfoEndpoint = true;
                    options.Scope.Clear();
                    options.Scope.Add("openid");
                    options.Scope.Add("info");
                    options.RequireHttpsMetadata = !_environment.IsDevelopment();
                    options.UseTokenLifetime = true;                    
                    };
                });
@Tratcher

This comment has been minimized.

Member

Tratcher commented Apr 18, 2018

Ok, no interesting customizations there. I don't have any other ideas at the moment except to hook into the events and add extra logging around the suspect values.

await Events.RedirectToIdentityProvider(redirectContext);

var messageReceivedContext = await RunMessageReceivedEventAsync(authorizationResponse, properties);

That or contacting support next time you have a repro and trying to do some live debugging.

@davdev82

This comment has been minimized.

davdev82 commented Apr 19, 2018

Well adding the logging to RedirectToIdentityProvider will not help as the culprit here is the "State", but that is not passed in when the event is raised, The state is calculated and protected after the Redirect event is raised. So logging a before and after value for "State" cannot be done

@frankyvij

This comment has been minimized.

frankyvij commented May 4, 2018

Hey, did you manage to solve the issue? I have the same problem. The authentication with Microsoft OpenId was working fine, but all of a sudden, it stopped working. I did not update any library (using the same version 2.0.3).

Following is the error I get:
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: .AspNetCore.Correlation. state property not found.

@sathiathirumal

This comment has been minimized.

sathiathirumal commented May 11, 2018

Are you all running behind a reverse proxy perhaps? I have been hitting "Correlation failed" exception during OIDC auth challenge as well BUT only when running behind Azure Application Gateway. One more sign is when running in Incognito browser mode AND azure app gateway - its a 100% repro in that case.

@muratg muratg added this to the Discussions milestone May 17, 2018

@gianibob82

This comment has been minimized.

gianibob82 commented May 25, 2018

I'm using AWS Cognito as OpenId and I'm having the same problem. It works fine when debugging using IIS Express but when I deploy to AWS API Gateway I get the error. Probably @sathiathirumal is on the right track but I can't find any solution for now...

@KevinDockx

This comment has been minimized.

KevinDockx commented Jun 1, 2018

In case anyone runs into this issue: we had the exact same problem, turned out it had to do with the data protection APIs. I detailed it on my blog (https://www.kevindockx.com/solving-correlation-failed-state-property-not-found-errors-openid-connect-middleware-asp-net-core/), but to summarize: the OIDC middleware uses the data protection APIs to encrypt/decrypt state. When decryption fails, state is null, thus resulting in a Correlation failed: state not found error. In our case, decryption failed because different keys were used for encryption/decryption, a pretty common problem when deploying behind a load balancer. The solution was to use a shared key store.

@gianibob82

This comment has been minimized.

gianibob82 commented Jun 1, 2018

Thanks @KevinDockx ! That's exactly the problem. In my case I'm storing the keys in S3

@sathiathirumal

This comment has been minimized.

sathiathirumal commented Jun 1, 2018

Also see #1755 (comment). Related to what @KevinDockx says.

@bdparrish

This comment has been minimized.

bdparrish commented Jul 10, 2018

@KevinDockx - I am seeing this with NGINX, but I only have a single server. Any ideas what this would be coming from since the session is not being shared across multiple servers?

@Tratcher

This comment has been minimized.

Member

Tratcher commented Jul 10, 2018

@bdparrish can you share a Fiddler trace of the login flow? Also your Nginx config?

@bdparrish

This comment has been minimized.

bdparrish commented Jul 10, 2018

@Tratcher - disregard, seemed to be a phantom error. I couldn't recreate it after restarting the cluster of services.

@aspnet-hello

This comment has been minimized.

aspnet-hello commented Sep 24, 2018

We periodically close 'discussion' issues that have not been updated in a long period of time.

We apologize if this causes any inconvenience. We ask that if you are still encountering an issue, please log a new issue with updated information and we will investigate.

@aspnet-hello aspnet-hello removed this from the Discussions milestone Sep 24, 2018

@aspnet aspnet locked and limited conversation to collaborators Sep 24, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.