invalid_grant after sign in

[dankennedy]

• I read and understood how to enable logging

Issue / Steps to reproduce the problem

I have a .Net core 2 IdSvr and MVC portal running fine locally. I'm trying to deploy them both to docker containers behind an nginx proxy though, and while I can authenticate a locally running MVC portal against the deployed IdSvr, I cannot authenticate from the deployed MVC portal.

Full details of the logs can be found on this StackOverflow question if that helps but I assume I'm missing some config either in the IdSvr project or the MVC client.

https://stackoverflow.com/questions/46884549/identityserver4-sub-claim-is-missing

Any help would be much appreciated as were trying to make IdSvr our federated identity gateway for all our systems and this is the first stage.

Relevant parts of the log file

[11:22:51 INF] Request starting HTTP/1.1 POST http://testportal.cmacgroup.co.uk/signin-oidc application/x-www-form-urlencoded 1559
[11:22:51 ERR] Message contains error: 'invalid_grant', error_description: 'error_description is null', error_uri: 'error_uri is null', status code '400'.
[11:22:51 ERR] Exception occurred while processing message.
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant'], error_description: 'error_description is null', error_uri: 'error_uri is null'.

[leastprivilege]

any update?

[dankennedy]

Some progress, in that I've got the IdSvr4 web app running in a container, and if I run the client locally I can authenticate against IdSvr4 without a problem. If I use the client as deployed in a container however, after a successful authentication I just get the nginx 502 page and no error logged. If I refresh the page and therefore resubmit the form however I get the following error:
[13:30:07 ERR] HTTP POST /signin-oidc responded 500 Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant' , error_description: 'error_description is null', error_uri: 'error_uri is null'. at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.<Invoke>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Cmac.Portal.Web.Middleware.SerilogMiddleware.<Invoke>d__4.MoveNext() in /app/Cmac.Portal.Web/Middleware/SerilogMi ddleware.cs:line 37

I assume it's therefore something to do with either the nginx config or how I've deployed the client container but I can't seem to get any more info on the initial failure.

I'm spending some more time looking at it today and will update.

[dankennedy]

So I finally got to the bottom of it. It seems the default header limits in nginx don't play nice and I found this in the logs
upstream sent too big header while reading response header from upstream

Updating the nginx config to include the lines

proxy_buffer_size          128k;

proxy_buffers              4 256k;

proxy_busy_buffers_size    256k;

prevented the 502 error and it all authenticates fine now.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.