I have a .Net Core 2.1 application that I am using to try to test my new Identity Server 4 deployment in AWS.
The two programs work perfectly on my local machine, where I can authenticate with IS4 and be redirected into my application with all my log in information.
On my deployed server this is not the case and I am unsure why.
I do not see any errors on my IS4 server, it sees my client and authenticates the request.
However, on my local machine my project gets the error:
System.Exception: An error was encountered while handling the remote login. ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'error_description is null', error_uri: 'error_uri is null'.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
After I call this:
return Challenge(new AuthenticationProperties
{
RedirectUri = "Home/Index"
}, "challenge");
The local programs startup is:
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookie";
options.DefaultChallengeScheme = "challenge";
//options.DefaultSignInScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;
//options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie("Cookie")
.AddOpenIdConnect("challenge", options =>
{
options.Authority = "http://auth.is4server.com";
//options.Authority = "http://localhost:5000";
options.SignInScheme = "Cookie";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("offline_access");
options.Scope.Add("profile");
options.Scope.Add("accunet");
});
It looks like it redirects to the IS4 login page, then instantly tries to redirect back to my redirectUri which is localhost:5002/signin-oidc with the previous error. I have confirmed that all of my IS4 configuration is the same on my local machine and the AWS instance.
I am not sure as to why this is not working, is there any issue with trying to redirect to my local machine? The error does not seem to give me a lot of details and the network responses.
Before this started happening it would at least let me try to log into the IS4 login page before redirecting me back to my signin-oidc. Now it won't even get to the login page, it always redirects to signin-oidc with the error. I have cleared cookies and restarted the server and local project to no avail.
Any help would be appreciated.
The issue was related to my Load Balancer in AWS. Since the IS4 server was behind this load balancer all internal traffic, between 2 AWS far gate containers, communicates HTTP. Due to this you need to have your Authority as HTTP.
However, I also have a policy on my AWS cluster to redirect all traffic to HTTPS, because of this conflict whenever I call options.Authority = "http://auth.is4server.com"; it tries to redirect to "https://auth.is4server.com"; which since it is internal Far Gate it does not allow.
The Solution was adding options.Origin = "https://auth.is4server.com"; therefore the discovery document had the secure endpoint and did not try to redirect.