Authentication ticket value is null in the AuthorizationCodeReceived event

Ed Brinkman 121 Reputation points
2021-02-27T11:30:23.69+00:00

I have been able to login to the identity provider, and get the access_token. My problem is with mapping the OpenID connect groups to roles. I am changing an MVC 4 website. The article post at ( https://developer.okta.com/blog/2018/04/18/authorization-in-your-aspnet-mvc-4-application ) gives a sample code for AuthorizationCodeReceived. The problem is that the Authentication ticket value is null in the AuthorizationCodeReceived event. . The article states that mapping the OpenIDConnect groups to roles is required to get authorization attributes to work. My website is not using Azure Active Directory. Do you have any advice?

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,221 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,101 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ed Brinkman 121 Reputation points
    2021-03-11T17:39:21.62+00:00

    I found a post that fixed the problem. The authentication works now. I wanted to post it for any future reference. https://stackoverflow.com/questions/20737578/asp-net-sessionid-owin-cookies-do-not-send-to-browser


12 additional answers

Sort by: Most helpful
  1. Yijing Sun-MSFT 7,061 Reputation points
    2021-03-01T07:50:12.003+00:00

    Hi @Ed Brinkman ,

    As far as I think,you are unnecessary to use Azure Active Directory with OpenID connect if you have other third party such as facebook, google.
    You need to configure like AAD and send notification.And then you need to wait returning a result.
    You could refer to below articles:
    Tutorial: Add sign-in to Microsoft to an ASP.NET web app

    AuthorizationCodeReceived


    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Yijing Sun

    0 comments No comments

  2. Ed Brinkman 121 Reputation points
    2021-03-01T23:11:01.667+00:00

    I can sign in and get an access token. The authorization code received event does fire. The n.AuthenticationTicket is null

    The identity provider is setup to use the scope "openid profile ismemberof".

    Other posts talk about using a hybrid flow with scope values of "code id_token" for access tokens.

    I have not found an explanation.


  3. Ed Brinkman 121 Reputation points
    2021-03-02T14:40:37.037+00:00

    My company is using the using the authorization code flow with PKCE. I still learning the technology. I have been grabbing pieces of code. My current problem does not give me any diagnostic information. I have been working off the code at https://www.scottbrady91.com/ASPNET/Refreshing-your-Legacy-ASPNET-IdentityServer-Client-Applications

    Another article at https://developer.okta.com/blog/2018/04/18/authorization-in-your-aspnet-mvc-4-application talks about using allowed grant types of Authorization Code, Implicit (Hybrid) - Allow ID Token. Both articles reference the authentication ticket property of the AurhorizationCodeReceivedNotification parameter. The authentication ticket property is null. So the code does not work. I do not know enough about the technology to know why.

    The SecurityTokenValidatedEvent is not firing either. I do not know why. An incoming id_token is to be parsed, validated, and used to populate context.AuthenticationTicket with a ClaimsIdentity whose claims come from the incoming token according to the text "Modern Authentication with Azure Active Directory for Web Applications".


  4. Ed Brinkman 121 Reputation points
    2021-03-03T13:29:03.13+00:00

    No, the returned URL is http://localhost/xxxx. SSL is not enabled for the website.
    PKCE has been turned off temporarily.
    I have run code but the authorize attribute is not working. The variable filterContext.HttpContext.User.Identity.IsAuthenticated returns false. The Identity name is null. The identity is a generic identity.
    I did find that the variable User.Claims is populated correctly. User.IsAuthenticated returns true. However, User.Identity.Name is null.
    The problem is that the authorize attribute is not working. My code does not match the articles I have been working from. Below is the code I cannot get to work because the variable n.AuthenticationTicket is null.

    //scott brady code
    var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
    id.AddClaims(userInfoResponse.Claims);
    id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
    id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));

                    n.AuthenticationTicket = new AuthenticationTicket(
                        new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType),
                        n.AuthenticationTicket.Properties);
    

    //OKTA site code
    foreach(var group in userInfoResponse.Claims.Where(x => x.Type == "groups"))
    {
    n.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, group.Value));
    }