Owin security could not handle callback "signin-oidc", Error 404 On Asp.net Mvc!

Question

Owin security could not handle callback "signin-oidc", Error 404 On Asp.net Mvc!

Hamed Vaziri 156

Hi everyone

I have a simple asp.net mvc app with .net framework 4.8.

I want to use keycloak as security management and my app connect to it via openid connect protocol.

To do this, I've created an startup.cs class in my project as follow :

[assembly: OwinStartup(typeof(Mvc48Keycloak.Startup))]
namespace Mvc48Keycloak
{
	public class Startup
	{
		public void Configuration(IAppBuilder app)
		{
			ConfigureAuth(app);
		}
		
		public void ConfigureAuth(IAppBuilder app)
		{
			var clientId = ConfigurationManager.AppSettings["Keycloak:ClientId"];
			var clientSecret = ConfigurationManager.AppSettings["Keycloak:ClientSecret"];
			var redirectUri = ConfigurationManager.AppSettings["Keycloak:RedirectUri"];
			
			app.UseCookieAuthentication(new CookieAuthenticationOptions
			{
				AuthenticationType = "Cookies"
			});
			
			app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
			{
				AuthenticationType = "oidc",
				Authority = "http://localhost:8080/realms/aspnet", // my keycloak server
				ClientId = clientId,
				ClientSecret = clientSecret,
				RedirectUri = redirectUri,
				ResponseType = "code",
				Scope = "openid profile email offline_access",
				TokenValidationParameters = new TokenValidationParameters
				{
					ValidateIssuer = true,
					ValidIssuer = "http://localhost:8080/realms/aspnet",
					ValidateAudience = true,
					ValidAudience = clientId,
				},
				RequireHttpsMetadata = false,
				SignInAsAuthenticationType = "Cookies",
				CallbackPath = new PathString("/signin-oidc"),
			}
		}
	}
}

And here is my web.config settings :

<appSettings>
	<!-- Keycloak Configuration -->
	<add key="Keycloak:ClientId" value="myClientID" />
	<add key="Keycloak:ClientSecret" value="myClientSecret" />
	<add key="Keycloak:RedirectUri" value="https://localhost:44300/signin-oidc" />
	...
</appSettings>

To test authentication process, i've simply placed [Authorize] attribute on Contact action inside HomeController :

[Authorize]
public ActionResult Contact()
{
    ViewBag.Message = "Your contact page.";
    return View();
}

At runTime, i've redirect to keycloak login form, but after that, when redirect to my app, facing this error 404 :

The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested URL: /signin-oidc

Apparently owin should handle the callbacks url but i don't know it could not!

Can anybody help me where is the problem and how to solve it?

Thanks in advance

Danny Nguyen (WICLOUD CORPORATION) 6,785 Microsoft External Staff Moderator

Hi @Hamed Vaziri ,

Thanks for providing the details.

If you’re seeing a 404 on /signin-oidc after redirecting back from Keycloak, it usually means OWIN isn’t set up to catch that callback. Here’s the exact Configuration method setup that fixed it for me, using ASP.NET MVC (.NET Framework 4.8) with Keycloak and OpenID Connect. It is recommended that you use Authorization Code flow with "Standard Flow" enabled in Keycloak.

Key Points

Register cookie authentication first.
Set the default sign-in authentication type with app.SetDefaultSignInAsAuthenticationType("Cookies").
This is critical, missing this line can cause the callback to fail.
OpenID Connect must use the correct callback path and redirect URI, and both must match the Keycloak configuration exactly.
Use debug logging to confirm OWIN sees requests (including /signin-oidc).

Here is my implementation of Configuration part of your code, consider checking it out:

[assembly: OwinStartup(typeof(KeycloakApp.Startup))]
namespace KeycloakApp
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            // Optional: log to verify requests hit OWIN (including /signin-oidc)
            app.Use(async (ctx, next) =>
            {
                System.Diagnostics.Debug.WriteLine("OWIN request: " + ctx.Request.Method + " " + ctx.Request.Scheme + "://" + ctx.Request.Host + ctx.Request.PathBase + ctx.Request.Path);
                await next();
            });
 
            ConfigureAuth(app);
        }
 
        public void ConfigureAuth(IAppBuilder app)
        {
            var authority = ConfigurationManager.AppSettings["Keycloak:Authority"];
            var clientId = ConfigurationManager.AppSettings["Keycloak:ClientId"];
            var clientSecret = ConfigurationManager.AppSettings["Keycloak:ClientSecret"];
            var redirectUri = ConfigurationManager.AppSettings["Keycloak:RedirectUri"]; // must match Keycloak
 
            // 1) Cookie auth FIRST
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                CookieSecure = CookieSecureOption.Always,
#if NET48
                CookieSameSite = Microsoft.Owin.SameSiteMode.None
#endif
            });
 
            // 2) Default sign-in type
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
 
            // 3) OIDC
            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
 
                Authority = authority,
                ClientId = clientId,
                ClientSecret = clientSecret,
 
                ResponseType = "code",
                Scope = "openid profile email offline_access",
                RequireHttpsMetadata = false,
 
                RedirectUri = redirectUri,
                CallbackPath = new PathString("/signin-oidc"),
 
                SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                RedeemCode = true,
 
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidIssuer = authority,
                    ValidateAudience = true,
                    ValidAudience = clientId
                },
 
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    // Save the id_token when sign-in succeeds
                    SecurityTokenValidated = n =>
                    {
                        if (!string.IsNullOrEmpty(n.ProtocolMessage.IdToken))
                        {
                            n.AuthenticationTicket.Properties.Dictionary["id_token"] = n.ProtocolMessage.IdToken;
                        }
                        return Task.FromResult(0);
                    },
 
                    // Set RedirectUri for login; set IdTokenHint for logout
                    RedirectToIdentityProvider = async n =>
                    {
                        var req = n.Request;
                        var baseUri = req.Scheme + "://" + req.Host + req.PathBase;
 
                        if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                        {
                            // Must exactly match Keycloak Valid redirect URIs
                            n.ProtocolMessage.RedirectUri = redirectUri; // baseUri + "/signin-oidc" also ok if that equals redirectUri
                        }
                        else if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
                        {
                            // Read id_token saved in the auth cookie and send as id_token_hint
                            var signInType = n.Options.SignInAsAuthenticationType; // "Cookies"
                            var auth = await n.OwinContext.Authentication.AuthenticateAsync(signInType);
                            if (auth != null && auth.Properties.Dictionary.TryGetValue("id_token", out var idToken) && !string.IsNullOrEmpty(idToken))
                            {
                                n.ProtocolMessage.IdTokenHint = idToken;
                            }
 
                            // Optional: some servers accept client_id as well
                            n.ProtocolMessage.ClientId = clientId;
 
                            // Where to go after logout
                            n.ProtocolMessage.PostLogoutRedirectUri = baseUri + "/";
                        }
                    },
 
                    AuthenticationFailed = n =>
                    {
                        n.HandleResponse();
                        n.Response.Redirect("/Home/Error?message=" + HttpUtility.UrlEncode(n.Exception.Message));
                        return Task.FromResult(0);
                    }
                }
            });
        }
    }
}

Also remember to:

Check Keycloak’s "Valid Redirect URIs" setting: Must match your app’s RedirectUri (including protocol and port).
The OWIN pipeline should always see the /signin-oidc request—debug logs can confirm this.

In short. this configuration tells OWIN to handle /signin-oidc internally, so your app won’t generate a 404 after authenticating with Keycloak. If you follow these steps, authentication should flow smoothly.

Let me know if you need more details or run into any other issues!

Danny Nguyen (WICLOUD CORPORATION) 6,785 Reputation points Microsoft External Staff Moderator

2025-10-03T10:46:26.97+00:00

Hi havent heard from this thread for a while. Have there been any development on this issue? Feel free to reach out if you need any help

Answer accepted by question author

Answer recommended by moderator

1 additional answer

Your answer

Danny Nguyen (WICLOUD CORPORATION) 6,785 Reputation points Microsoft External Staff Moderator

2025-10-03T10:46:26.97+00:00

Hi havent heard from this thread for a while. Have there been any development on this issue? Feel free to reach out if you need any help

Answer 1

Hi @Hamed Vaziri ,

Sorry for bother you again. I know you have found a solution that is currently working

Since we have different approaches on this topic, here's a clear summary of what I've learned—and what's worked for myself and yours. This might help others who encounter the same solution.

1. Authorization Code Flow (response_type=code)

Solution:
To resolve issues with the Authorization Code Flow, ensure your Keycloak client is set to "Standard Flow" (authorization code), check that your OWIN middleware is configured with ResponseType = "code" and RedeemCode = true, set handling authentication type correctly and confirm your redirect URI matches in both Keycloak and your app. If you see a 404 on /signin-oidc, double-check your OWIN pipeline and middleware order.

What it does:
This is the most secure and modern way to use OpenID Connect. After login, Keycloak sends your app an authorization code, which your backend exchanges for tokens.

Should it work with OWIN?

In my experience, it does work with ASP.NET MVC and OWIN, as long as your middleware is set up correctly and your Keycloak client uses the correct redirect URI and response type.
The OWIN middleware should handle the /signin-oidc callback and redeem the code.
Make sure you have RedeemCode = true, and your Keycloak client is set to "Standard Flow" (authorization code) enabled.

Why it might not work (for some):

The official OWIN OpenID Connect middleware has some quirks and was originally designed for Azure AD. Certain older versions or misconfigurations may not redeem the code properly.
If you see a 404 on /signin-oidc, double-check your OWIN pipeline, Keycloak redirect URI, and middleware setup.
If your team lead says "code" doesn't work, it's possible your environment or package versions differ.

2. Implicit Flow (response_type=id_token)

Solution:
If you run into trouble with Authorization Code Flow, switch to Implicit Flow by setting ResponseType = "id_token" in your middleware and enabling "Implicit Flow" in your Keycloak client settings. This lets OWIN handle the authentication without needing to exchange an authorization code for tokens.

What it does:
With Implicit Flow, Keycloak sends the id_token directly in the redirect—no backend code exchange needed.

Should it work with OWIN?

Yes! The OWIN middleware natively handles the id_token from the callback.
You must enable "Implicit Flow" for your Keycloak client.
Use ResponseType = "id_token" (or "id_token token" for access token too).

To compare the 2 approaches:

Security: Authorization Code Flow is recommended for production apps.
Compatibility: If your current setup or team prefers Implicit Flow due to middleware limitations, it’s a workable solution.
What’s best? If you can get Code Flow working, stick with it. If not, Implicit Flow is a valid fallback for many .NET Framework MVC apps.

I hope that my answer is helpful. If possible, please consider letting me know if I am missing anything on this problem.

Answer 2

Hamed Vaziri 156

Hi again!
Thanks for your helps..

I've solved my problem, here is the solution :
Based on this thread, we have to set ResponseTypes to "id_token", but In addition to that, we have to enable "Implecit flow" in keycloak server to receive id_token without authorization code!

That's it!
best regards ..

Danny Nguyen (WICLOUD CORPORATION) 6,785 Reputation points Microsoft External Staff Moderator

2025-09-29T09:24:46.0066667+00:00

Hi, congrats on solving this problem.

I still think the main issue was how the OWIN authentication pipeline and its options were set up. app.SetDefaultSignInAsAuthenticationType(...) is missing in your setup, which is critical for OWIN to correctly issue the authentication cookie and complete the sign-in flow.

You’re right that enabling Implicit Flow (response_type=id_token) works, but for better security and compatibility it's recommended to use the Authorization Code flow (response_type=code), which is fully supported by Keycloak (see the Keycloak OIDC documentation here). With code flow, you only need "Standard Flow" enabled in Keycloak—no need for Implicit Flow. This is the approach most modern apps use.

I hope this additional information is helpful to you. I have edit my original answer to reflect on this. If possible, consider checking it out and if the answer is correct/works for you, please consider accepting it.
Hamed Vaziri 156 Reputation points

2025-09-30T16:45:34.32+00:00
Thanks for reply..

I've tested your suggested code before, but facing the same issue!

As a thread which i placed in my last post, Owin.OpenIdConnect does not support "code" responseType.

Answer 3

Close the missing bracket in UseOpenIdConnectAuthentication → should end with });.
Remove RedirectUri = redirectUri, from your config (keep only CallbackPath = new PathString("/signin-oidc")).
In Keycloak, add https://localhost:44300/signin-oidc under Valid Redirect URIs.
Ensure app.UseCookieAuthentication comes before app.UseOpenIdConnectAuthentication.

That will stop MVC from giving 404 on /signin-oidc.

Here’s the corrected Startup.cs auth section you can drop in:

public void ConfigureAuth(IAppBuilder app)
{
    var clientId = ConfigurationManager.AppSettings["Keycloak:ClientId"];
    var clientSecret = ConfigurationManager.AppSettings["Keycloak:ClientSecret"];
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = "Cookies"
    });
    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        AuthenticationType = "oidc",
        Authority = "http://localhost:8080/realms/aspnet",
        ClientId = clientId,
        ClientSecret = clientSecret,
        ResponseType = "code",
        Scope = "openid profile email offline_access",
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidIssuer = "http://localhost:8080/realms/aspnet",
            ValidateAudience = true,
            ValidAudience = clientId,
        },
        RequireHttpsMetadata = false,
        SignInAsAuthenticationType = "Cookies",
        CallbackPath = new PathString("/signin-oidc")
    });
}

Share via

Owin security could not handle callback "signin-oidc", Error 404 On Asp.net Mvc!

1 additional answer

Your answer