Azure Active Directory authentication error OWIN

Rubén Romero 6 Reputation points
2020-10-24T01:48:47.787+00:00

I have the following error:
IDX21323: RequireNonce is 'System.Boolean'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

  1. My application was working fine in Azure Web Services.
  2. I use OWIN functions for the authentication.
  3. I configure a custom domain and upgrade my service from free to Basic to have the slot and domain options.
  4. After configuring my domain and work fine, downgrade back the service to free.
  5. And now when I'm trying to return the service to Basic to use the slots and to configure the domain I have the problem.

I'm not sure if the above is directly related with the problem but I wanted to pointed out.

Note. The application works fine if runned from Visual Studio and authenticating to Azure Active Directory.

I appreciate any help to fix this error.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,626 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 32,541 Reputation points Microsoft Employee
    2020-10-27T22:07:02.52+00:00

    The error generally occurs when the request to the application does not contain the nonce cookie. To gather more insights you can follow the instructions to capture a Fiddler tracewith decrypt https traffic enabled.

    You can also try adding these lines of code:

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
        {
            Notifications = new OpenIdConnectAuthenticationNotifications()
            {
                AuthenticationFailed = AuthenticationFailedNotification<OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> authFailed =>
                {
                    if (authFailed.Exception.Message.Contains("IDX21323"))
                    {
                        authFailed.HandleResponse();
                        authFailed.OwinContext.Authentication.Challenge();
                    }
    
                    await Task.FromResult(true);
                }
            }
        });
    

    References:

    IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null
    MVC5 Azure AD IDX21323

    I would also recommend checking out the blog post, RECEIVING ERROR IDX21323 OR DX10311 REQUIRENONCE, which suggests that this can sometimes happen if there are multiple domains pointing to the same website.

    1 person found this answer helpful.

  2. Marcin 6 Reputation points
    2021-12-18T16:14:44.677+00:00

    @Marilee Turscak-MSFT thank you, your solution worked for me!

    0 comments No comments