Authentication ticket value is null in the AuthorizationCodeReceived event

Ed Brinkman 116 Reputation points

I have been able to login to the identity provider, and get the access_token. My problem is with mapping the OpenID connect groups to roles. I am changing an MVC 4 website. The article post at ( ) gives a sample code for AuthorizationCodeReceived. The problem is that the Authentication ticket value is null in the AuthorizationCodeReceived event. . The article states that mapping the OpenIDConnect groups to roles is required to get authorization attributes to work. My website is not using Azure Active Directory. Do you have any advice?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,909 questions
A Microsoft web application framework that implements the model-view-controller (MVC) design pattern.
858 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ed Brinkman 116 Reputation points

    I found a post that fixed the problem. The authentication works now. I wanted to post it for any future reference.

12 additional answers

Sort by: Most helpful
  1. Yijing Sun-MSFT 7,031 Reputation points

    Hi @Ed Brinkman ,

    As far as I think,you are unnecessary to use Azure Active Directory with OpenID connect if you have other third party such as facebook, google.
    You need to configure like AAD and send notification.And then you need to wait returning a result.
    You could refer to below articles:
    Tutorial: Add sign-in to Microsoft to an ASP.NET web app


    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Yijing Sun

    0 comments No comments

  2. Ed Brinkman 116 Reputation points

    I can sign in and get an access token. The authorization code received event does fire. The n.AuthenticationTicket is null

    The identity provider is setup to use the scope "openid profile ismemberof".

    Other posts talk about using a hybrid flow with scope values of "code id_token" for access tokens.

    I have not found an explanation.

  3. Ed Brinkman 116 Reputation points

    My company is using the using the authorization code flow with PKCE. I still learning the technology. I have been grabbing pieces of code. My current problem does not give me any diagnostic information. I have been working off the code at

    Another article at talks about using allowed grant types of Authorization Code, Implicit (Hybrid) - Allow ID Token. Both articles reference the authentication ticket property of the AurhorizationCodeReceivedNotification parameter. The authentication ticket property is null. So the code does not work. I do not know enough about the technology to know why.

    The SecurityTokenValidatedEvent is not firing either. I do not know why. An incoming id_token is to be parsed, validated, and used to populate context.AuthenticationTicket with a ClaimsIdentity whose claims come from the incoming token according to the text "Modern Authentication with Azure Active Directory for Web Applications".

  4. Ed Brinkman 116 Reputation points

    No, the returned URL is http://localhost/xxxx. SSL is not enabled for the website.
    PKCE has been turned off temporarily.
    I have run code but the authorize attribute is not working. The variable filterContext.HttpContext.User.Identity.IsAuthenticated returns false. The Identity name is null. The identity is a generic identity.
    I did find that the variable User.Claims is populated correctly. User.IsAuthenticated returns true. However, User.Identity.Name is null.
    The problem is that the authorize attribute is not working. My code does not match the articles I have been working from. Below is the code I cannot get to work because the variable n.AuthenticationTicket is null.

    //scott brady code
    var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
    id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
    id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));

                    n.AuthenticationTicket = new AuthenticationTicket(
                        new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType),

    //OKTA site code
    foreach(var group in userInfoResponse.Claims.Where(x => x.Type == "groups"))
    n.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, group.Value));