question

MuhammadKhalil-6943 avatar image
0 Votes"
MuhammadKhalil-6943 asked JamesHamil-MSFT answered

How to solve Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'?

I almost tried every solution so far for getting out of the problem of following exception.


 Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
                               at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext)
                               at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext)
                               at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__11.MoveNext()


But I am not able to get rid of the above exception.

If I try second time, it works. But for very first time ( at very first attempt ), this does not work at all.

I have Microsoft.Owin.Security.OpenIdConnect latest package installed into .NET application. Mostly using default implementation of Owin middleware hooked up for IIS normal HTTP call.

 app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
                 app.UseCookieAuthentication(new CookieAuthenticationOptions());                   
    
                 app.UseOpenIdConnectAuthentication(
                     new OpenIdConnectAuthenticationOptions
                     {
                         AuthenticationMode = AuthenticationMode.Passive,
                         ClientId = lClientId.ToString(),
                         Authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], lTenantId),
                         RedirectUri = "https://1001apvdp1012.forest7.dom/AHPOneFrontend/ExtAz/",
    
                         PostLogoutRedirectUri = string.Format(postLogoutRedirectUri, HttpContext.Current.Request.Url.DnsSafeHost),
    
                         Scope = OpenIdConnectScope.OpenIdProfile,
                         ResponseType = OpenIdConnectResponseType.IdToken,
                         TokenValidationParameters = new TokenValidationParameters()
                         {
                             ValidateIssuer = true // This is a simplification
                         },
                         Notifications = new OpenIdConnectAuthenticationNotifications
                         {
                             AuthenticationFailed = OnAuthenticationFailed,
                             SecurityTokenValidated = OnSecurityTokenValidated,
                             RedirectToIdentityProvider = OnRedirectToIdentityProvider
                         }
                     }


rest of other values are coming from configuration file.

I am attaching fiddler request flow to demonstrate about the request


108017-image.png


108057-image.png


108036-image.png



Cany any body give me the idea how to get rid of this problem?

dotnet-csharpazure-active-directory
image.png (96.9 KiB)
image.png (97.0 KiB)
image.png (130.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi @MuhammadKhalil-6943 , sorry for the delay in response! Have you tried looking at application gateway diagnostics? it might be able to track down your problem. I was able to find another thread related to this error here: https://social.msdn.microsoft.com/Forums/zh-CN/b5818590-a8d5-4b9b-9f3e-d3b5defef6c8/3719732622242122999231243242073259320851652922151831471app?forum=windowsazurezhchs

However it is in Chinese. Relevant translation:

"The problem was that the time or automatic reference program service binding a custom domain name.

After the application network management is configured. The Host IP that modifies the custom domain name points to a public IP that is gateway."

Please try checking that your domain is configured correctly and points to the correct gateway. Please let me know if this helps.

Best,
James


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.