Search code examples
c#blazorblazor-webassemblyopeniddict

Blazor OpenIDDict Invalid Issuer

I have an intermitten issue that will occasionally stop upsers from signing into my my site. When they log in they are met with the below error when they are redirected from the OpenIDDict server.

error:invalid_token
error_description:The issuer associated to the specified token is not valid.
error_uri:https://documentation.openiddict.com/errors/ID2088

I find that you can generally refresh the page and the error goes away, but I do not expect the average user to do so. I followed the dantooine webassembly example from OpenIDDict. The odd thing about this issue is that it only happens in production when deployed to my Azure App Service.

Client Config:

#region OpedIdDict

builder.Services.AddDbContext<ApplicationDbContext>(options =>
{
    options.UseSqlite(...);
    options.UseOpenIddict();
});

builder.Services.AddAntiforgery(options =>
{
    options.HeaderName = ...;
    options.Cookie.Name = ...;
    options.Cookie.SameSite = SameSiteMode.Strict;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
    options.LoginPath = ...;
    options.LogoutPath = ...;
    options.ExpireTimeSpan = ...;
    options.SlidingExpiration = false;
    options.ClaimsIssuer = ...;
});

builder.Services.AddQuartz(options =>
{
    options.UseMicrosoftDependencyInjectionJobFactory();
    options.UseSimpleTypeLoader();
    options.UseInMemoryStore();
});

builder.Services.AddQuartzHostedService(options => options.WaitForJobsToComplete = true);

builder.Services.AddOpenIddict()

    .AddCore(options =>
    {
        options.UseEntityFrameworkCore().UseDbContext<ApplicationDbContext>();
        options.UseQuartz();
    })

    .AddClient(options =>
    {
        options.AllowAuthorizationCodeFlow();

        var certificate = ...;
        options.AddSigningCertificate(certificate);
        options.AddEncryptionCertificate(certificate);

        options.UseAspNetCore()
                .EnableStatusCodePagesIntegration()
                .EnableRedirectionEndpointPassthrough()
                .EnablePostLogoutRedirectionEndpointPassthrough();

        options.UseSystemNetHttp()
                .SetProductInformation(typeof(Program).Assembly);

        
        options.AddRegistration(new OpenIddictClientRegistration
        {
            Issuer = ...,
            ClientId = ...,
            ClientSecret = ...,
            Scopes = { Scopes.Profile, Scopes.Email, Scopes.Phone },
            RedirectUri = new Uri(...),
            PostLogoutRedirectUri = new Uri(...)
        });
    });

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("CookieAuthenticationPolicy", builder =>
    {
        builder.AddAuthenticationSchemes(CookieAuthenticationDefaults.AuthenticationScheme);
        builder.RequireAuthenticatedUser();
    });
});

builder.Services.AddReverseProxy()
    .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"))
    .AddTransforms(builder => builder.AddRequestTransform(async context =>
    {
        var token = await context.HttpContext.GetTokenAsync(
            scheme: CookieAuthenticationDefaults.AuthenticationScheme,
            tokenName: Tokens.BackchannelAccessToken);

        context.ProxyRequest.Headers.Authorization = new AuthenticationHeaderValue(Schemes.Bearer, token);
    }));

builder.Services.AddHostedService<Worker>();

#endregion
Solution

  • Turns out to be an issue with navigating from a naked domain. my redirects where configured as www. but the site was a non www. Once I forced the site to be www. the issue resolved it's self.