question

RubnRomero-4206 avatar image
0 Votes"
RubnRomero-4206 asked Marcin-1792 answered

Azure Active Directory authentication error OWIN

I have the following error:
IDX21323: RequireNonce is 'System.Boolean'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.


  1. My application was working fine in Azure Web Services.

  2. I use OWIN functions for the authentication.

  3. I configure a custom domain and upgrade my service from free to Basic to have the slot and domain options.

  4. After configuring my domain and work fine, downgrade back the service to free.

  5. And now when I'm trying to return the service to Basic to use the slots and to configure the domain I have the problem.

I'm not sure if the above is directly related with the problem but I wanted to pointed out.

Note. The application works fine if runned from Visual Studio and authenticating to Azure Active Directory.

I appreciate any help to fix this error.


azure-ad-connect
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT commented

The error generally occurs when the request to the application does not contain the nonce cookie. To gather more insights you can follow the instructions to capture a Fiddler tracewith decrypt https traffic enabled.

You can also try adding these lines of code: 

 app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
     {
         Notifications = new OpenIdConnectAuthenticationNotifications()
         {
             AuthenticationFailed = AuthenticationFailedNotification<OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> authFailed =>
             {
                 if (authFailed.Exception.Message.Contains("IDX21323"))
                 {
                     authFailed.HandleResponse();
                     authFailed.OwinContext.Authentication.Challenge();
                 }
    
                 await Task.FromResult(true);
             }
         }
     });


References:

IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null
MVC5 Azure AD IDX21323

I would also recommend checking out the blog post, RECEIVING ERROR IDX21323 OR DX10311 REQUIRENONCE, which suggests that this can sometimes happen if there are multiple domains pointing to the same website.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Marcin-1792 avatar image
0 Votes"
Marcin-1792 answered

@MarileeTurscak-MSFT thank you, your solution worked for me!

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.