-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft.Owin.Security.OpenIdConnect not compatible with the latest Microsoft.IdentityModel.XX packages. #544
Comments
@brentschmaltz @jennyf19 - Do you know if the latest Microsoft.IdentityModel packages are broken w.r.t. Microsoft.Owin.Security.OpenIdConnect? @sankj - any possibililty of creating a repro of the issue? |
@brentschmaltz , @jeffhandley, could you please let us know if this is true ? "latest Microsoft.IdentityModel packages are broken w.r.t. Microsoft.Owin.Security.OpenIdConnect?" Thank you @eerhardt for asking around to see if this is a known issue. What kind of repro are you looking for with respect to this ? We have our app (its a url) in our test environment, where I can create the repro. What data would help you investigate this further? |
Check out https://github.com/dotnet/runtime/blob/main/CONTRIBUTING.md#writing-a-good-bug-report. Typically posting the code for an application that reproduces the problem (link to a github repo or a .zip file, etc). |
@eerhardt, thanks! I followed the template: (https://github.com/dotnet/runtime/issues/new?assignees=&labels=&template=01_bug_report.yml) that you provided and described our issue. This has the error / link to the code that produces the error, etc. Please let me know if you need further information. Description What we have found so far is that Microsoft.Owin.Security.OpenIdConnect 4.2.2 takes a dependency on Microsoft.IdentityModel.xxx - 6.11.1.0. However, we had to upgrade the identity model packages to Microsoft.IdentityModel.xxx to 7.6.0. What we have found is Microsoft.Owin.Security.OpenIdConnect 4.2.2 does not work with Microsoft.IdentityModel.xxx to 7.6.0. We have not seen any update to the package: (https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect) since 2022. Symptoms: Possibly that is the reason we are getting Unable to decode error ? What are the recommended next steps to go forward here to help us unblock? Reproduction Steps Code: Our MVC application uses the above code snippet to perform the OAuth2.0 authentication. Here, the authentication fails while doing the OAuth2.0. Repro steps:
Expected behavior: Actual behavior 2.a Regression? Known Workarounds Configuration What OS and version, and what distro if applicable? What is the architecture (x64, x86, ARM, ARM64)? Other information Would that be a reason why Microsoft.Owin.Security.OpenIdConnect not compatible with the latest Microsoft.IdentityModel.XX packages ? |
@eerhardt , @brentschmaltz , @jeffhandley, please take a look at the bug report above and let us know if you need any further information. We are blocked on deploying one of our projects and wanted to understand what the next steps / resolution would be here. |
The first thing that comes to mind is that the Microsoft.IdentityModel NuGet packages are unaligned. Sadly, this is a common problem that can easily happen when the versions of transitive dependencies are left unspecified. AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2513 Looking at the packages in the linked repo (which should really be public accessible given it's a public GitHub issue, but I digress), I see the following PackageReferences (excluding one internal one I'll assume is irrelevant): <ItemGroup>
<PackageReference Include="jQuery" Version="3.6.0" />
<PackageReference Include="Microsoft.AspNet.Mvc" Version="5.2.9" />
<PackageReference Include="Microsoft.AspNet.WebPages" Version="3.2.9" />
<PackageReference Include="Microsoft.Owin" Version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Host.SystemWeb" Version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Hosting" Version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Security" Version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Security.Cookies" Version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Security.WsFederation" Version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Security.OpenIdConnect" Version="4.2.2" />
<PackageReference Include="Newtonsoft.Json" Version="$(NewtonsoftJsonPackageVersion)" />
<PackageReference Include="Owin" Version="1.0.0" />
<PackageReference Include="Microsoft.IdentityModel.Protocols" Version="7.0.2" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.0.2" />
<PackageReference Include="Microsoft.IdentityModel.Logging" Version="7.0.2" />
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.0.2" />
<PackageReference Include="System.Buffers" Version="4.5.1">
<IncludeAssets>runtime</IncludeAssets>
</PackageReference>
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.0.2" />
<PackageReference Include="System.Management.Automation.dll" Version="10.0.10586" />
<PackageReference Include="System.Numerics.Vectors" Version="4.5.0">
<IncludeAssets>runtime</IncludeAssets>
</PackageReference>
<PackageReference Include="System.Runtime.CompilerServices.Unsafe" Version="6.0.0">
<IncludeAssets>runtime</IncludeAssets>
</PackageReference>
</ItemGroup> This leaves the following transitive package list:
In a perfect world, there would be no breaking changes, and this would be unnecessary, but in practice you have to be vigilant to keep all your dependencies up to date. The short term fix is to directly reference newer versions of the transitive packages: diff --git a/1.txt b/2.txt
index 677b231..dab7435 100644
--- a/1.txt
+++ b/2.txt
@@ -11,10 +11,15 @@
<PackageReference Include="Microsoft.Owin.Security.OpenIdConnect" Version="4.2.2" />
<PackageReference Include="Newtonsoft.Json" Version="$(NewtonsoftJsonPackageVersion)" />
<PackageReference Include="Owin" Version="1.0.0" />
+ <PackageReference Include="Microsoft.IdentityModel.Abstractions" Version="7.0.2" />
+ <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.0.2" />
<PackageReference Include="Microsoft.IdentityModel.Protocols" Version="7.0.2" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.0.2" />
+ <PackageReference Include="Microsoft.IdentityModel.Protocols.WsFederation" Version="7.0.2" />
<PackageReference Include="Microsoft.IdentityModel.Logging" Version="7.0.2" />
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.0.2" />
+ <PackageReference Include="Microsoft.IdentityModel.Tokens.Saml" Version="7.0.2" />
+ <PackageReference Include="Microsoft.IdentityModel.Xml" Version="7.0.2" />
<PackageReference Include="System.Buffers" Version="4.5.1">
<IncludeAssets>runtime</IncludeAssets>
</PackageReference> Long term, it would probably be best to use Nuget's Central Package Management (CPM) feature. |
Thank you @halter73 for your recommendation. I did see that previously, the transitive packages related to Microsoft.Identity.Model.X.X were misaligned. Some of them were pointing to 5.3.3.0 while others at 7.2.0.0. With your recommendation, when we deployed, we can verify that all the transitive packages are aligned with the top level packages. 7.2.0. However, still I am getting the same unable to decode error message. |
I was talking to @halter73 offline and with his recommendation I was able to inject the Owin logger in our app. We are able to verify this with the fact that the returned payload that we get does NOT have the state field. Looking at: OpenIdConnectAuthenticationOptions, AspNetKatana/src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs Line 62 in 86fa511
However, looking at: Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectProtocolValidator.cs I am wondering if this mismatch is what is causing the decoding to fail. I am trying to override both of these values for RequestState and RequiredStateValidation as false and see if there is any new outcome. Stack trace from logs: |
We just had this also. We had only updated the direct transitives, not the indirect. So whilst we had updated the Microsoft.IdentityModel.JsonWebTokens to the 8.2.1 - there was a bunch of other Microsoft.IdentityModel.* packages like Microsoft.IdentityModel.Protocols.OpenIdConnect which were still on an old 5.x.x release. And this meant that OIDC sign-in had broken at runtime. The build itself was totally fine. For us, the fix was to update ALL transitives in the Microsoft.IdentityModel.* namespace to a matching 8.2.1 version. I would encourage you to audit all your transitives in this regard. Our project file ended up looking more like this: <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.2.1" />
<PackageReference Include="Microsoft.IdentityModel.Protocols" Version="8.2.1" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.2.1" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.WsFederation" Version="8.2.1" />
<PackageReference Include="Microsoft.IdentityModel.Tokens.Saml" Version="8.2.1" />
<PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.2.1" />
<PackageReference Include="System.Security.Cryptography.Xml" Version="9.0.0" />
...
...
<PackageReference Include="Microsoft.Owin" version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Security" version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Security.ActiveDirectory" Version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Security.Cookies" Version="4.2.2" />
<PackageReference Include="Microsoft.Owin.Security.OpenIdConnect" Version="4.2.2" />
<PackageReference Include="Newtonsoft.Json" version="13.0.3" />
<PackageReference Include="Owin" version="1.0" />
... |
Hello,
We host a MVC .NET web application that takes a dependency on:
https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect/#versions-body-tab to implement OAuth2.0.
What we have found so far is that Microsoft.Owin.Security.OpenIdConnect 4.2.2 takes a dependency on Microsoft.IdentityModel.xxx - 6.11.1.0. However, we had to upgrade the identity model packages to Microsoft.IdentityModel.xxx to 7.6.0. What we have found is Microsoft.Owin.Security.OpenIdConnect 4.2.2 does not work with Microsoft.IdentityModel.xxx to 7.6.0.
We have not seen any update to the above package as well since 2022.
Symptoms:
The project builds successfully. However, our application throws an "Unable to decode payload" error when OAuth is being made.
What we found out further was that:
Microsoft.IdentityModel.xxx - 6.11.1.0 takes dependency on Newtonsoft
Microsoft.IdentityModel.xxx to 7.6.0 takes dependency on System.Text.Json
Possibly that is the reason we are getting Unable to decode error ?
What are the recommended next steps to go forward here to help us unblock?
Thank you!
The text was updated successfully, but these errors were encountered: