Is there any case in which user can have an expired nonce exception OpenIdConnectProtocolInvalidNonceException and still be authenticated?
I have found an old implementation in my company's source code where a previous developer implemented the following on AuthenticationFailed notification:
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = n =>
{
if(n.Exception is OpenIdConnectProtocolInvalidNonceException)
{
// This is the confusing line
if(n.OwinContext.Authentication.User.Identity.IsAuthenticated)
{
n.SkipToNextMiddleware();
return Task.FromResult(0);
}
}
}
}
As you see, the if statement if(n.OwinContext.Authentication.User.Identity.IsAuthenticated) caused me some confusion since we are actually on AuthenticationFailed notification.
While debugging with the expired nonce exception, I always get n.OwinContext.Authentication.User.Identity.IsAuthenticated = false.
Is this if statement useless?
After spending some time on this topic, I have found that the case in which user can be already authenticated but getting a OpenIdConnectProtocolInvalidNonceException, is when user clicks back button in the browser after having successfully logged in. In this case, the user is authenticated but the nonce is missing.