Azure Active Directory OpenID throwing nonce exception in web browser but not in web browser control
I am using OWIN authentication with OpenID to authenticate to an Azure AD endpoint. My application typically runs within a win-forms web-browser control and I am not experiencing any issues. But, when authenticating using a modern web browser I am getting a "nonce" exception in my Middleware Next.Invoke(context) in the response redirect from Azure Active Directory.
I have attached a fiddler of the response headers with the control and with the web browser. They are different but I am hoping for some insight as to why.
What differences between a web-browser control and a web browser might be causing this issue? And is there a resolution/ workaround?
This is successful with a web-browser control using IE 11 but has failed with IE 11, Edge, Chrome, and Firefox.
Note: The JWT does contain the nonce token in both situations, it is not being read in middleware.
I am using:
Microsoft.Owin.Security.OpenIdConnect, Version=4.0.1.0
Microsoft.IdentityModel.Protocols.OpenIdConnect, Version=5.3.0.0
public class MyMiddleWare : OwinMiddleware
{
public override async Task Invoke(IOwinContext context)
{
try
{
await Next.Invoke(context);
...
Error
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException
HResult=0x80131500
Message=IDX21323: RequireNonce is '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
Source=Microsoft.IdentityModel.Protocols.OpenIdConnect
StackTrace:
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__9.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__9.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<InvokeReplyPathAsync>d__16.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContextStage.<RunApp>d__7.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at ....<Invoke>d__5.MoveNext() in ...:line 29
Success
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: ffdb4ab7-a6b4-457e-b663-448727569900
x-ms-ests-server: 2.1.9524.8 - CHI ProdSlices
x-ms-clitelem: 1,0,0,228204.2529,
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAACQN9QBRU3jT6bcBQLZNUj7jTNFH8tmqm9RCwduQg-S-Hg1JD5RJF6fmJ52lpVgyxkqYMpRP9IAURkUcO6yYTTJurmwF93DSyIr0GyvQmFO8ecuJra5gpBZcknhXnjHgMGZdW-IJg-maq9XPatsYpm_0vV7APXW89dnDq_rqOqXEIHYKBAUjAykyVlnq-2g0fN6UJhQbW0HcK78Fnu4ImfYqRWX7MmxILF3SXC9Ocmlphf22ThKPsZVJ2ZW7M7TaF7sBA94NokK75BWpOsYOeeBOX4VdJaJ3KQ2Qzx39cLNurZdlokZcv2QHhxif3FTBsFBlTRBeuHu2CZ5dRlG4n1DBRjCU4cgfXXkejKsQANLKGN3CFbZDPPlCfoZ3JVwrtWMCBUQRAnKI2k-CBgzY893M3dHHGdikMb6NfrlhIHxj7RUeVyeZNt655OYKz80SgEbsqOnXrEhs5uLipuotCCo0KlBD9c32N3wcEjtRcWccg5lhU9zj8j_BEmc0eDx-wWsayXyeFquHBUhtbi8nsaBzDyDwnr1m9JRfItjIy7CwmxmOkgdd0fs0I--Ge1qpFNq4dtcvN59iai9eBSPa6rU_iNFOwXcBvzickxhT5P9FQWEFtiXJqu2yCfiyr29nk_3lnERJmPKvH7w9mNhNOZhY1gftaYKRa41RVCaFvDZxJHYjHP5-Zt8kD9POHc6Q1DKF9auL2C6tH60UHPXyeaNb1WpVq_cni_RJ4b7IvsTni9fDhFWvBSgOdoIdfrXj6oO6KhkBX-IjIJ21NirfXGxLLYo_xU9d7vQsin9pfrWdipoXvwtPgANqysVw443-HwUvLhPTuXxGsDdv0HzrvtxzVidvY_ihN45KXR4LsYQDMRNvPlCGYVJDxc3OQfV1LEgACAAQAAQAgAA; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=AQABAAQAACQN9QBRU3jT6bcBQLZNUj7RkRJgm8PalY-u9YYf_I67Wxc1rqqmcQjzhap-HvzYPcg57SXUcZdCfoXzfJrakxvqnrb2ZNo9C-ZHRotgvjLc2dW6cgdeWzR3HosW2wnq46QMLuM5_9PgkVqu618TY1YjbrGHJt-DrkqYBllosEsRgIn7vtJbIDUcbIX_lY1v3x_eZDvxDC54mXpu4ahOFb2PpcMWOhQc2FvpjlBYy7n6SAAIABAACAAAAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+53636a21-7ae1-44a-91b6-42bcae6e95b8; path=/; secure; SameSite=None
Set-Cookie: ch=so8u3S2kSqpfBZhYUj-R6A5pGKKa5C_O1x0BvcrUeo; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:29:09 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=AQABAAEAAACQNQBRU3jT6bcBQLZNUj7enEyqLfYUuELonMRUstbWJj7fo8pTcQpro4Nep0rWS5DEHS7CAeNTSacaPYMXV8117FRdTSbvvMTasm4xDvW754ejP38JWtrZYkzEgOR8GyYsywDES4s7Fh9p1Fy_m5ImVzc9weUEiDlc1yhXxSkDbDmnlv9-SjJUJmiespfBsaXtzQSrEQaPEpBT5PbY5J_oAFgzbSA0gmlO9yOWOVGOR7IsIm8L4HvgJl25zOJWRBDSHYe8uTsCyfclx9oW_iZeQ3qtgczWXpg4OSIJqB3NiAA; expires=Wed, 13-Nov-2019 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=CAQABAAIAACQN9QBRU3jT6bcBQLZNUj7MpWzBN_CNnDvk5B7KLIuFNmpFhsjxyNrRZ7uaQBysuOYD52BW1DC2Rp5zZbk3RPFsZu0QKJeaCDiXBBgy7YMVKIquSviPZZfMIw1HPfm0s6Sf0lMfdgA0muXF6YFxneaZCsDq53lm6qYIlzUNhv39buD6xuCgtFl6d1OC84T65eGPSPPPBTJGO4un5QCVByDM0wbwYtXXr68c08cbT2U_ucgQ4tffRT-OUxKKlvz6nR3NcwD-Irn2Kn3Ay6_IBf7IAA; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Ajcv9X5TAupIu9O6f-Jaazeh6BYDAQAAAJmjNtUOAAAAVCafUwEAACZpjbVDgAAAMDn2V0DAAAA46Y21Q4AAAA; expires=Wed, 13-Nov-2019 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: esctx=AQABAAAAAACQNQBRU3jT6bcBQLZNUj7rM2IjQVNxnrEqNXHtt2eNwsyLtgxftnSP3A1fpoRokG5weF27jPP4N4DTNZQI9-zxNnJXVD6jVR_FASWy6wvo-jYy0ddLCsC6upC3Y6n_YZSdCFixngM6Mnv3h4wAsPDbf6pzuUl7b0U8OoVe0zThFTTuQgprrs3XjHm9zEzlfAgAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=prod; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Mon, 14 Oct 2019 17:29:09 GMT
Content-Length: 2650
Fail
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: d8d44ea8-f12b-4f77-a25e-c1802adc7300
x-ms-ests-server: 2.1.9524.8 - CHI ProdSlices
x-ms-clitelem: 1,0,0,,
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: AADSSO=; expires=Sun, 13-Oct-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAAACN9QBRU3jT6bcBQLZNUj7Ng4kTNHEzlSGq4cyWxjUgjdQKPLQpDmPkulhBzsOCuvbmS0f1XHOHjqpDjRbTlT6r7VIjA0Gmsd6jlC2vcXMeifp2g1l5iUmaRS7sRA7XYoM1lRB6BB8sR1iNU8lL5G8Pff1qnDDe0O6Y5DE3yl_V02Cl_g_fifjTWGqG32JCUoXwknLW7gJi2k6GwVEq50rLqOYcSWpC72Q4bvtV1MY7CINWCUtpfse-gGcFYHmA67eGB8a4xwzvZnVfXdBHDvGuuqtDeXp1cprMCHYX9w3PAH1Ll7wVjZj4sUm0YWzm7G0gl9ngSqObM_vigH_KiXPsVoezhlBN_Xx0pkUpgbcTg2jCZ65xmSMkG_pegf28Zbyhpde-nqLB3_apx4_CJKr4BnJfklyRWvfZay5rtPJ70fpvP0KefPCyyE-liJxa47S6omJGr3IYZsmqlXQCGnYxgV7R2JFhdatTqiMuoKaTZGi_biglipMOKq0CIwBAOhQTlnAvO3TQInL2pKu96qbGo8f4wC6qzKnkGyPRenl66HZtZ1AAtkopLm-3AazYwYe_0Ex661018bmRQ439uy1p8otKT3ZnLaF2tjbAS5oXqCixevywawSsL-PhF69GYUgACAAQABQAQAA; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=AQABAAQAAACQN9QBRUjT6bcBQLZNUj7OegOzQKPWPto8WclZJmDLwYNjiEsn4OirFaDPw1GEKee53a1iFcD3LuFzjBN3PXqHmju5Wsfusj3mNowv15IWyv5qVIsSxHYlA1ESmxtT-fZsiTpW7anVdEl43kycsgEDFYjROEA_OzMt5ZdnFIH1rv5h0v4SQCrPBrofk4YRZ8PnxC-L_hvgA3jr5-YVA13aRcZdzXqAj3idML1MuwlBmXpALitYwCHaMosawMXp3mvbGSS8ly0SuW5509E9MY3Vlk1ySPPgId3z0dfK6q0hq9rdUsr7d7AZyGkmDoxGT-zjNqbBGKw9SqN0q77NYpAZZuyqnJHgxcYAilPCBi208PZ6QKuwKKGHey3J3XwtRVaJ_uBU0Ksx3uZHYWWk2plqP3Agv2EJlwqhCkoWmNMGsN84GoijysmiWizFOWaeQHcnEnBDzm9dON2eqrdTdWFUZNc7SIoLp4vhTGS7hHhSDVatAiIZX_46bVFkxGAXty6ZEOLnth2q8zQ4SbSBuccv1l2oFLKmqli2hnE5CHUuAcXazhhXSCasCFRZRrAkscqIi7mcZ2YRMiEaYZn6H092LPji0leYDNCCasKLQ-Xt1N-oJ1_aVETetoAE5_KmSoi9RV3v4rWtXOAAGvEUcfdFCAof0yRocLmjatN4HV2aa6NnDTs8hPdO61u_WsJkBjuDh8nM5B4JljqxwC4WeoQdL5G6Mq10qI6FYKqVsVwkJEyKWU01v7n_xqBFUwDoDogACAAQACwAQAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+d098c80-efb8-4b0f-9ef3-eb50f58728f9; path=/; secure; SameSite=None
Set-Cookie: ch=M9_iBKa5h4GB9fhFhfjvoUmR0yjMYMpfKah1_rdomE; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:30:47 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=AQABAAEAAAQN9QBRU3jT6bcBQLZNUj74Z7ZEQzlF4uGSSwnUP9-Ja0eqL75M-YOBzwUWC_4Lu7A6LaJn0TBLvvMwdpkJbFLAIIGzUo8eMCLp0vXHNvrALsBRbAa1gwh7KB-M9BN-gD6nJjpKUk3tHqvFtg7c0vK6eNo4qY7r1dwIg__VOiz6aD_AN1FvNYDh-wONdgBOfLnEllftJJEZnXSwpJ6YuNGFVDZ3d4vCjAhR5Ph7IueNj783JtQEdNXVBERuIk7h6mwRqPy3lzkMhuZvtaG2359Jk93zIGAUVNb56ibCASbsCAA; expires=Wed, 13-Nov-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=CAQABAAIAAACQN9QBRU3jT6bcBQLZNUj7g4TAdyzUlSo2ftZ1xNmrElg_4b6mDzvn_1n-8TExkhRaPr1e8skwnPVUggSoNHxL6SQsKWCa5j_E67GlrtdtB1qlEEKpPr-fgpGAjXSYt7lC6Qxms29L-q7kBEoD--ldp0MNTtuSbqyMqSWdzrfeMskcJx-D_GwYFVT46CGOtw4ScySBxVBWJ8JGuQJcAT6i1tuHzZO2TlOLliw_H7dOuYeiKGq2CbwTcMKFPydTuBSbTlfmRdIjQ3gBHmxTQ9qIAA; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Au_FFTZRMRlAl59trPoUI0iyECHoAgAAHynNtUOAAAAwOfZXQIAAACHpzbVDgAAAA; expires=Wed, 13-Nov-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: x-ms-gateway-slice=prod; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Mon, 14 Oct 2019 17:30:46 GMT
Content-Length: 2522
2 Answers
Asp.net OpenID Connect (OIDC) middleware uses the nonce cookie to prevent security replay attack. As the error said, the application throws the above exception when it does not see the nonce cookie in the authenticated request. Cookies are domain-based so once they are set for a particular domain all subsequent requests to that domain will contain these cookies as long as they are still valid.
So, make sure the web-browser control and web browser authentication domain are the same.
The solution here is to redirect the request back to the same domain used originally after authentication. To control where Azure AD sent the authenticated request back to the application, set the OpenIdConnectAuthentications.RedirectUri property in the ConfigureAuth method below.
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = "https://www.contonso.com"
});
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
}
answered on Stack Overflow Oct 15, 2019 by 
Joey Cai
Joey CaiIt appears that winform's web browser control is manipulating the SameSite cookie in requests.
I had incorrectly configured the server to implement SameSite=strict, which prevented any OpenID authentication in a modern browser. Because winform's web browser control does not include this cookie I was able to successfully log in.
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=strict" />
<conditions>
</conditions>
</rule>
answered on Stack Overflow Jun 12, 2020 by 
wfbcargo
wfbcargoUser contributions licensed under CC BY-SA 3.0