Open Closed

Authentication using Open ID Connect with Auth0 fails in OpenIdConnectAuthProviderApi #10707

kylem created
  • What is your product version? 10.4.0
  • What is your product type (Angular or MVC)? Angular
  • What is product framework type (.net framework or .net core)? .net core
  • What is ABP Framework version? Abp.AspNetZeroCore: 3.0.0, Abp: 6.4.0

Hi, we tried to configure our application to authenticate users using Open ID Connect using Auth0 as provider but got following error:

ERROR 2021-11-24 13:12:11,193 [23   ] Mvc.ExceptionHandling.AbpExceptionFilter - IDX20803: Unable to obtain configuration from: 'System.String'.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
 ---> System.IO.IOException: IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Abp.AspNetZeroCore.Web.Authentication.External.OpenIdConnect.OpenIdConnectAuthProviderApi.ValidateToken(String token, String issuer, IConfigurationManager`1 configurationManager, CancellationToken ct)
   at Abp.AspNetZeroCore.Web.Authentication.External.OpenIdConnect.OpenIdConnectAuthProviderApi.GetUserInfo(String token)

Authentication was working fine when we tried similar setup with Okta as provider.

After our analysis, it turned out that cause of the issue is same as in ticket 9789:

So we followed the suggestion in that ticket (re-implementing OpenIdConnectAuthProviderApi) and that at least partially resolved our issues.

The problem seems to be in current logic used in OpenIdConnectAuthProviderApi, GetUserInfo() method, when Issuer URL is created by appending string '/.well-known/openid-configuration' to pre-configured value of the 'Authority' parameter.

In our case that value already has slash (/) characater at the end and when string '/.well-known/openid-configuration' is appended, it creates URI with double slash character which returns 'page not found'

If we remove one slash character - all is good and correct openid configuration is returned in an call

So we applied small tweak to the logic like this:

var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                issuer + (issuer.EndsWith("/") ? ".well-known/openid-configuration" : "/.well-known/openid-configuration"),
                new OpenIdConnectConfigurationRetriever(),
                new HttpDocumentRetriever());

but as I mentioned, it resolved issue just partially for us - only for cases when configuration parameter "AllowSocialLoginSettingsPerTenant" is set to true.

In this scenario, I was able to implement my version of OpenIdConnectAuthProviderApi based on source code that was provided in ticket 9789, and instantiate this version inside TenantBasedOpenIdConnectExternalLoginInfoProvider class.

However, ideally, we would like to use same Open ID Configuration for all of our tenants, and thus avoid setting it for each tenant, but for that case I was not able to find a way how to override default OpenIdConnectAuthProviderApi implementation.

in any case,to me this looks like a functionality that can be improved in the OpenIdConnectAuthProviderApi (as we see this is not happening only with Auth0, but with other providers as mentioned in ticket 9789)

Thanks and regards, Predrag

1 Answer(s)