IssuerAddress not being set in OpenidConnectHandler.HandleChallengeAsyncInternal

Question

IssuerAddress not being set in OpenidConnectHandler.HandleChallengeAsyncInternal

roddharris opened this issue 5 months ago · comments

Is there an existing issue for this?

I have searched the existing issues

Describe the bug

I'm using the AddOpenidConnect extension method to configure OpendidConnect to work with our Keycloak IDP. Whenever the Challenge is requested, I receive an error: "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid." (Line 485 of the HandleChallengeAsyncInternal).

It appears that this is supposed to be set when the configuration manager reads the OIDC configuration from the .well-known endpoint of my IDP. (Line 402) It seems as though the manager is unable to read the IDP configuration or is unable to pull out the authorization_endpoint property of my IDP configuration.

Expected Behavior

When the Challenge is required, the OpenidConnectHandler should redirect the browser to the authorization_endpoint that is defined in the well-known endpoint of the IDP configured using the AddOpenidConnect extension method.

Steps To Reproduce

Here is the configuration in program.cs

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.Authority = "https://my-keycloak-idp.com/auth/realms/myrealm";
        options.ClientId = "my-app-client-id";  //public client, no secret
        options.CallbackPath = "/auth";
        options.RequireHttpsMetadata = true;
        options.MetadataAddress = "https://my-keycloak-idp.com/auth/realms/myrealm/.well-known/openid-configuration";
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.UsePkce = true;
        options.ResponseType = OpenIdConnectResponseType.Code;
    });

Here is the configuration returned by the metadata endpoint.

Exceptions (if any)

Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.

.NET Version

8.0.100

Anything else?

This is an Asp.NET Core 8.0 MVC application.
I'm running in VS 2022

roddharris · Answer 1 · Sat May 18 2024 01:59:29 GMT+0800 (China Standard Time)

Sorry, I forgot to add that my Keycloak client is set for Standard Flow, Implicit Flow and Direct Access Grants. I also have my Web Origins configured as well as my Valid Redirect URIs.

Stephen Halter · Answer 2 · Wed May 22 2024 03:10:46 GMT+0800 (China Standard Time)

Can you provide a minimal repro project?

I suspect the issue might be mismatched Microsoft.IdentityModel.* dependencies. Even if you don't reference these dependencies directly right now, you might have to add an explicit PackageReference to make sure all the versions align exactly. The current latest version for these packages is 7.5.2.

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2513 (comment) has more context on the issue. It shouldn't be necessary to manually align package versions like this, but it is necessary as of right now.

roddharris · Answer 3 · Fri May 24 2024 21:57:09 GMT+0800 (China Standard Time)

Thank you @halter73 that seemed to be the issue.