Authentication.WsFederation breaks with on-premise AD FS use #52099
Comments
|
Thanks for contacting us. |
Tratcher
added
area-auth
|
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login. |
|
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login. ---> (Inner Exception #2) Microsoft.IdentityModel.Tokens.SecurityTokenMalformedException: IDX14100: JWT is not well formed, there are no dots (.). --- End of inner exception stack trace --- |
|
We have encountered this issue as well and implemented a workaround. This may be an issue with a difference in how JsonWebTokenHandler and SamlSecurityTokenHandler handles configuration fetching from ConfigurationManager. I have reported this issue to Microsoft.IdentityModel here: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2406 The JsonWebTokenHandler fetches BaseConfiguration from the ConfigurationManager when validating a token, the Saml*SecurityTokenHandler does not. This change a56e968#diff-42233637069e62d711d83e163c06bbf11849c4acb594daaf5587697c3ef0789fL99 changed configuration fetching so that this now is delegated to the TokenHandler when using the default ConfigurationManager or StaticConfigurationManager (inherits from BaseConfigurationManager). While this works for JsonWebTokenHandler, the SAML handlers is not compatible. |
|
Received the following response via email, does not appear here. From: Stephen Halter It's undocumented breaking change. We recommend updating your code to utilize the newer, more-optimized types. But if that's not possible, you can set WsFederationOptions.UseSecurityTokenHandlers = true which is the second option listed in the "Recommended action" section of the announcement. |
|
Thank you for your response. I am aware of the breaking change as described. Unfortunately, that is not the issue here. I can confirm the issue noted above #52099 (comment), and I can work around the initialization problem related to that which was introduced in the associated ASP.NET Core change to the WsFederation component. While that initialization issue may have a root cause deeper in the architecture and in a separate project, the issue is exposed in a component from this project. There is a separate issue in the new token handler in that it does not appear to handle WS-Fed tokens properly. But again, that is internal to the ASP.NET Core component implementation in its choice of relying on other projects. I am not using the token handlers directly, there is nothing in the code or the sample app to be switched. It appears that ASP.NET Core's Authentication.WsFederation component has relied internally on one or more broken components from other project(s). I would expect that such internal issues between projects would be addressed by the involved projects' members. To reiterate: this is not a question about the breaking change that was noted, it's an issue with the component not working as documented, requiring user space work arounds. |
|
Hi, I can confirm what @csowa assumes, that this is not a matter of the state of the That change relates to the use of JWT tokens (and handling them with one class or the other), but the error messages in the bug report clearly indicate that @csowa uses SAML tokens, which are handled by completely different classes. @Hakon has, as far as I can tell, correctly diagnosed the problem and has also published a great workaround in this issue: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2406 The error message in this bug report indicates that the workaround should be applicable as-is, but users who get a SAML 2.0 version token may need to subclass As @csowa writes, this is fine for those of us who are in control of the code that configures WsFederation, but if that code resides in a separate component that cannot be easily modified, it of course becomes a direct obstacle to adoption .NET 8.0. |
This is correct. It was not intended as a general fix for everyone but rather a hint at how to work around the problem. I am working on a proper fix in IdentityModel. |
|
Thank you for the warning. I have submitted a fix to IdentityModel. |
|
Just hit this as well. This is a pretty big breaking change to be undocumented! And how come this has not been fixed? It completely breaks ADFS Integration. Thanks for the workaround, @Hakon! It works great. |
dotnet-policy-service
bot
added
the
pending-ci-rerun
wtgodbe
removed
the
pending-ci-rerun
dotnet-policy-service
bot
added
the
pending-ci-rerun
wtgodbe
removed
the
pending-ci-rerun
can you link to the fix. did it make it into net8? |
halter73
added
External
Not yet. The PR to fix it is still open at AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2412. |
|
Stumbled upon this after spending afternoon. The workaround works as claimed. But a major breaking change. |
|
Yes some regression tests would be welcome for components this sensitive. |
|
Had it fixed after replacing: |
|
Closing as the updated packages from the Microsoft.IdentityModel.* version 7.4.1 have shipped now, which includes the fix. |
|
Will next patch version of WsFederation depend on fixed versions of IdentityModel? |
That is the bug covered by this issue. This appears to have been prematurely closed, pending resolution / confirmation of WsFederation's dependency. |
|
Microsoft.AspNetCore.Authentication.WsFederation has not been updated to reference 7.4.1, which is the one that contains the fix. The latest version 8.0.4 still references to 7.1.2. Do you know if there is any plan to get that updated ? Thanks |
|
@mkArtakMSFT This issue was specifically for Authentication.WsFederation breaking. Despite the fix to Microsoft.IdentityModel, Authentication.WsFederation still has not been updated to reference the fixed version, and thus the issue raised by this ticket still exists. This was closed prematurely. |
Is there an existing issue for this?
Describe the bug
Using Authentication.WsFederation for authentication results in error regardless of new UseSecurityTokenHandlers setting.
options.UseSecurityTokenHandlers = true;SecurityTokenInvalidIssuerException: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
Expected: behavior prior to change introduced with issue 49469.
options.UseSecurityTokenHandlers = false;XmlReadException: IDX30011: Unable to read XML. Expecting XmlReader to be at ns.element: 'urn:oasis:names:tc:SAML:2.0:assertion.Assertion', found: 'urn:oasis:names:tc:SAML:1.0:assertion.Assertion'.
Expected: to be able to handle SAML 1.0 assertion emitted by WsFed server.
Expected Behavior
options.UseSecurityTokenHandlers = true;
Expected: behavior prior to change introduced with issue 49469.
options.UseSecurityTokenHandlers = false;
Expected: to be able to handle SAML 1.0 assertion emitted by WsFed server.
Steps To Reproduce
Repro project: https://github.com/csowa/aspdotnetcore-auth-sample
Demonstrates WS-Federation issue with change introduced for #49469
Based on example at https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-8.0#use-ws-federation-without-aspnet-core-identity
Build and run. Home page uses [Authorize] attribute, authentication begins when loading.
Dependency: ADFS server required. Server version tested: 10.0.17763.4644
Exceptions (if any)
options.UseSecurityTokenHandlers = true;SecurityTokenInvalidIssuerException: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
options.UseSecurityTokenHandlers = false;XmlReadException: IDX30011: Unable to read XML. Expecting XmlReader to be at ns.element: 'urn:oasis:names:tc:SAML:2.0:assertion.Assertion', found: 'urn:oasis:names:tc:SAML:1.0:assertion.Assertion'.
.NET Version
8.0.100
Anything else?
No response
The text was updated successfully, but these errors were encountered: