Share via

Resolving IDX21323 error for a site hosted on Azure that only occurs on chromium based browsers

Henry 0 Reputation points
2024-01-09T11:04:38.7933333+00:00

I currently have an asp.net framework project in progress that makes use of Microsoft Entra ID (openID) as part of the login.

When testing on either my local or on a non-azure server there are no issues and the login/redirect takes place as expected.

Once published to a site hosted on azure (IIS) however is when the issues begin on what appears to be chromium based browsers (Edge and chrome tested, Firefox works as intended).

After being directed to and completing Microsoft sign in, the expected behavior is to redirect back to the initial login where the application then checks if authentication was successful(HttpContext.Current.GetOwinContext().Authentication.User.Identity.IsAuthenticated).
On Chrome, the following error message is received "errormessage=IDX21323: RequireNonce is true. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you dont need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false. Note if a nonce is found it will be evaluated"

Following other suggestions/questions I attempted to set nonceRequired to false which would either result on a similar error message but instead relating to , or alternatively a redirect but without the error message but with the IsAuthenticated still failing.

Below is a snip-it from my startup.cs file relating to the owin OpenIDConnect configuration I currently have running.

public void Configuration(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions()
    {
        CookieSameSite = SameSiteMode.None
    });
    app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        Authority = authority,
        RedirectUri = redirectUri,
        PostLogoutRedirectUri = redirectUri,
        Scope = OpenIdConnectScope.OpenIdProfile,
        ResponseType = OpenIdConnectResponseType.CodeIdToken,TokenValidationParameters = new TokenValidationParameters()
        {
            ValidateIssuer = false
        },
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthenticationFailed = OnAuthenticationFailed,
            SecurityTokenValidated = context =>
            {
                // Access user claims from context
                var claims = context.AuthenticationTicket.Identity.Claims;

                // Access specific claims
                string userName = context.AuthenticationTicket.Identity.FindFirst("preferred_username")?.Value;
                string userEmail = context.AuthenticationTicket.Identity.FindFirst("email")?.Value;

                string tenantId = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid")?.Value;

                // Store or use the user information as needed

                return Task.FromResult(0);
            }
        }
    }
);
}

Any suggestions on how I could try an resolve this issue would be appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 20,490 Reputation points Microsoft External Staff Moderator
    2024-01-10T11:04:25.51+00:00

    Hi @Henry

    Thank you for posting this in Microsoft Q&A.

    I understand you are reporting an error message (IDX21323) that occurs when testing an ASP.NET framework project that uses Microsoft Entra ID (OpenID) for login. The error only occurs on Chromium-based browsers (Edge and Chrome) when the project is published to an Azure-hosted site (IIS).

    The RequireNonce property is used to ensure that the Nonce value in the token matches the Nonce value that was sent in the authentication request. This is a security feature that helps prevent replay attacks. You can either set the 'RequireNonce' property to false, or you can provide a 'RequireNonce' in the request.

    If setting RequireNonce to false did not resolve the issue, it's possible that there is another problem with the authentication flow.

    1.Make sure that the redirect URI in your authentication request matches the redirect URI that is registered for your application in Azure AD.

    2.Make sure that all website traffic is over https. Sometimes it could be a configuration that needs to be fixed in the application to ensure https.

    .AddCookie(options => { options.Cookie.SameSite = SameSiteMode.None; options.Cookie.SecurePolicy = CookieSecurePolicy.Always; options.Cookie.IsEssential = true; });

    3.If SSL is not enabled in Visual Studio or in the Windows VM. Enabling SSL to enforce https and ensure that user have all the necessary parameters for the login request.

    4.After the user authenticates, the authentication provider will redirect the user back to your application with an authentication response.

    5.Check the token validation parameters: Make sure that the token validation parameters are correctly configured to validate the access token and ID token.

    Thanks,
    Navya.
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.