Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft.Owin.Security.OpenIdConnect not compatible with the latest Microsoft.IdentityModel.XX packages. #544

Open
sankj opened this issue Oct 7, 2024 · 10 comments

Comments

@sankj
Copy link

sankj commented Oct 7, 2024

Hello,

We host a MVC .NET web application that takes a dependency on:
https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect/#versions-body-tab to implement OAuth2.0.

What we have found so far is that Microsoft.Owin.Security.OpenIdConnect 4.2.2 takes a dependency on Microsoft.IdentityModel.xxx - 6.11.1.0. However, we had to upgrade the identity model packages to Microsoft.IdentityModel.xxx to 7.6.0. What we have found is Microsoft.Owin.Security.OpenIdConnect 4.2.2 does not work with Microsoft.IdentityModel.xxx to 7.6.0.

We have not seen any update to the above package as well since 2022.

Symptoms:
The project builds successfully. However, our application throws an "Unable to decode payload" error when OAuth is being made.
What we found out further was that:
Microsoft.IdentityModel.xxx - 6.11.1.0 takes dependency on Newtonsoft
Microsoft.IdentityModel.xxx to 7.6.0 takes dependency on System.Text.Json

Possibly that is the reason we are getting Unable to decode error ?

What are the recommended next steps to go forward here to help us unblock?

Thank you!

@danroth27
Copy link
Member

@adityamandaleeka

@eerhardt
Copy link

eerhardt commented Oct 8, 2024

@brentschmaltz @jennyf19 - Do you know if the latest Microsoft.IdentityModel packages are broken w.r.t. Microsoft.Owin.Security.OpenIdConnect?

@sankj - any possibililty of creating a repro of the issue?

@sankj
Copy link
Author

sankj commented Oct 9, 2024

@brentschmaltz , @jeffhandley, could you please let us know if this is true ? "latest Microsoft.IdentityModel packages are broken w.r.t. Microsoft.Owin.Security.OpenIdConnect?"

Thank you @eerhardt for asking around to see if this is a known issue. What kind of repro are you looking for with respect to this ? We have our app (its a url) in our test environment, where I can create the repro. What data would help you investigate this further?

@eerhardt
Copy link

eerhardt commented Oct 9, 2024

What kind of repro are you looking for with respect to this ? We have our app (its a url) in our test environment, where I can create the repro. What data would help you investigate this further?

Check out https://github.com/dotnet/runtime/blob/main/CONTRIBUTING.md#writing-a-good-bug-report.

Typically posting the code for an application that reproduces the problem (link to a github repo or a .zip file, etc).

@sankj
Copy link
Author

sankj commented Oct 18, 2024

@eerhardt, thanks!

I followed the template: (https://github.com/dotnet/runtime/issues/new?assignees=&labels=&template=01_bug_report.yml) that you provided and described our issue. This has the error / link to the code that produces the error, etc. Please let me know if you need further information.

Description
We host a MVC .NET web application that takes a dependency on:
https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect/#versions-body-tab to implement OAuth2.0.

What we have found so far is that Microsoft.Owin.Security.OpenIdConnect 4.2.2 takes a dependency on Microsoft.IdentityModel.xxx - 6.11.1.0. However, we had to upgrade the identity model packages to Microsoft.IdentityModel.xxx to 7.6.0. What we have found is Microsoft.Owin.Security.OpenIdConnect 4.2.2 does not work with Microsoft.IdentityModel.xxx to 7.6.0.

We have not seen any update to the package: (https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect) since 2022.

Symptoms:
The project builds successfully. However, our application throws an "Unable to decode payload" error when OAuth is being made.
What we found out further was that:
Microsoft.IdentityModel.xxx - 6.11.1.0 takes dependency on Newtonsoft
Microsoft.IdentityModel.xxx to 7.6.0 takes dependency on System.Text.Json

Possibly that is the reason we are getting Unable to decode error ?

What are the recommended next steps to go forward here to help us unblock?

Reproduction Steps
Code snippet:
Repo link: https://microsoft.visualstudio.com/EngSys/_git/nebula?path=/Core/Nebula%20WFE/CloudMan.Web/App_Start/Startup.Auth.cs&version=GBmain&line=56&lineEnd=71&lineStartColumn=1&lineEndColumn=20&lineStyle=plain&_a=contents

Code:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = async context =>
{
await Task.Yield();
context.HandleResponse();
context.Response.Redirect("Home/Error?message=" + context.Exception.Message);

}
}
});

Our MVC application uses the above code snippet to perform the OAuth2.0 authentication. Here, the authentication fails while doing the OAuth2.0.

Repro steps:

  1. Go to the Url: https://cloudmanbvt.corp.microsoft.com/
  2. This is what gets displayed during authentication.
    2.a
    Server Error in '/' Application.
    The resource cannot be found.
    Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is
    temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
    Requested URL: /Home/Error
    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4762.0

2.b In the web Url address bar, we see this error:
https://cloudmanbvt.corp.microsoft.com/Home/Error?message=IDX12723:%20Unable%20to%20decode%20the%20payload%20%27eyJhdWQiOiJkZTZhYzY5My1lZWNkLTRkMWUtYjJiZi0xOGQxMDkxMzhjYWMiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaWF0IjoxNzI5MjgxMzMxLCJuYmYiOjE3MjkyODEzMzEsImV4cCI6MTcyOTI4NTIzMSwiYWlvIjoiQWFRQVcvOFlBQUFBeVo2Z3VHclVrWHBoQmpzZXFtSUVHTzFDVWtjdHFwYUVpS1ZLOXpKZFlRZk5ydWpTN05uRCtPRTRLSStCaUJDZlZaMnp0SUNKc2lKZ3FPMjY0N05GZHdyM1MrSTQ4dDRrdUhhMEhzMmo1UjJDRWFZcVBVUWw4YXZ1ekc3aWNOckxSclRlUmU0Ly9mTm5pV0NneEwyS2QvNnVjMGRtTEZsYThoTUFrVUFwVkdQRm5Oc0NPRWJrYWtlc1VSQ2hyVFdlVTZueFRGVlloYnBZNmRxZUQ2dDJ1QT09IiwiYW1yIjpbInJzYSIsIm1mYSJdLCJjX2hhc2giOiJuaWFoeVk1cFBJQXI0amlaODJCWGt3IiwiZmFtaWx5X25hbWUiOiJKb3NoaSIsImdpdmVuX25hbWUiOiJTYW5rZXQiLCJpcGFkZHIiOiIyMC4yMzYuMTAuMTYzIiwibmFtZSI6IlNhbmtldCBKb3NoaSIsIm5vbmNlIjoiNjM4NjQ4Nzg0Mjk3MjQxNjQ1Lk9XSTFOREEzTXpjdFltUXpNQzAwT0RrMUxUbGhZVFV0TXpFME16ZzRZbVV5WldZeE1XVmlPVEV5WlRFdFkyRXlaQzAwWWpjMExUZzFZell0WW1FNVpURmpabU15TWpoayIsIm9pZCI6IjQ0YmI4YTU5LTgyYmItNDAxZi1hYjVmLTJmMTkxOTcyNmFkOCIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0yMTI3NTIxMTg0LTE2MDQwMTI5MjAtMTg4NzkyNzUyNy01MDY3NzczIiwicmgiOiIxLkFSb0F2NGo1Y3ZHR3IwR1JxeTE4MEJIYlI1UEdhdDdON2g1TnNyOFkwUWtUakt3YUFHTWFBQS4iLCJzdWIiOiJ4N3VJRU1zREpkX0tNN1lWQTExMjhadVlkRGR3LWxTSG9jYUxINGE2RFFRIiwidGlkIjoiNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3IiwidW5pcXVlX25hbWUiOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1cG4iOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJERm1hOFp3QlZVT3U2SHROcldFYUFBIiwidmVyIjoiMS4wIn0%27%20as%20Base64Url%20encoded%20string.

Expected behavior:
Expected behavior is that we get authenticated and are redirected to the following Url (https://cloudmanbvt.corp.microsoft.com/) and see the page display.
Image:
image

Actual behavior
As I mentioned earlier in the repro steps this is the error we see.

2.a
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is
temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Home/Error
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4762.0

2.b
In the web Url address bar, we see this error:
https://cloudmanbvt.corp.microsoft.com/Home/Error?message=IDX12723:%20Unable%20to%20decode%20the%20payload%20%27eyJhdWQiOiJkZTZhYzY5My1lZWNkLTRkMWUtYjJiZi0xOGQxMDkxMzhjYWMiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaWF0IjoxNzI5MjgxMzMxLCJuYmYiOjE3MjkyODEzMzEsImV4cCI6MTcyOTI4NTIzMSwiYWlvIjoiQWFRQVcvOFlBQUFBeVo2Z3VHclVrWHBoQmpzZXFtSUVHTzFDVWtjdHFwYUVpS1ZLOXpKZFlRZk5ydWpTN05uRCtPRTRLSStCaUJDZlZaMnp0SUNKc2lKZ3FPMjY0N05GZHdyM1MrSTQ4dDRrdUhhMEhzMmo1UjJDRWFZcVBVUWw4YXZ1ekc3aWNOckxSclRlUmU0Ly9mTm5pV0NneEwyS2QvNnVjMGRtTEZsYThoTUFrVUFwVkdQRm5Oc0NPRWJrYWtlc1VSQ2hyVFdlVTZueFRGVlloYnBZNmRxZUQ2dDJ1QT09IiwiYW1yIjpbInJzYSIsIm1mYSJdLCJjX2hhc2giOiJuaWFoeVk1cFBJQXI0amlaODJCWGt3IiwiZmFtaWx5X25hbWUiOiJKb3NoaSIsImdpdmVuX25hbWUiOiJTYW5rZXQiLCJpcGFkZHIiOiIyMC4yMzYuMTAuMTYzIiwibmFtZSI6IlNhbmtldCBKb3NoaSIsIm5vbmNlIjoiNjM4NjQ4Nzg0Mjk3MjQxNjQ1Lk9XSTFOREEzTXpjdFltUXpNQzAwT0RrMUxUbGhZVFV0TXpFME16ZzRZbVV5WldZeE1XVmlPVEV5WlRFdFkyRXlaQzAwWWpjMExUZzFZell0WW1FNVpURmpabU15TWpoayIsIm9pZCI6IjQ0YmI4YTU5LTgyYmItNDAxZi1hYjVmLTJmMTkxOTcyNmFkOCIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0yMTI3NTIxMTg0LTE2MDQwMTI5MjAtMTg4NzkyNzUyNy01MDY3NzczIiwicmgiOiIxLkFSb0F2NGo1Y3ZHR3IwR1JxeTE4MEJIYlI1UEdhdDdON2g1TnNyOFkwUWtUakt3YUFHTWFBQS4iLCJzdWIiOiJ4N3VJRU1zREpkX0tNN1lWQTExMjhadVlkRGR3LWxTSG9jYUxINGE2RFFRIiwidGlkIjoiNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3IiwidW5pcXVlX25hbWUiOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1cG4iOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJERm1hOFp3QlZVT3U2SHROcldFYUFBIiwidmVyIjoiMS4wIn0%27%20as%20Base64Url%20encoded%20string.

Regression?
Yes, this is working when the Microsoft.Owin.Security.OpenIdConnect 4.2.2 dll is referencing Microsoft.IdentityModel.xxx - 6.11.1.0. However, once we upgraded Microsoft.IdentityModel.xxx - 6.11.1.0 to Microsoft.IdentityModel.xxx to 7.6.0, we started getting the above error.

Known Workarounds
None

Configuration
Which version of .NET is the code running on?
.NET Framework 4.7.2

What OS and version, and what distro if applicable?
this is running on a VM with OS22

What is the architecture (x64, x86, ARM, ARM64)?
X64

Other information
Symptoms:
The project builds successfully. However, our application throws an "Unable to decode payload" error when OAuth is being made.
What we found out further was that:
Microsoft.IdentityModel.xxx - 6.11.1.0 takes dependency on Newtonsoft
Microsoft.IdentityModel.xxx to 7.6.0 takes dependency on System.Text.Json

Would that be a reason why Microsoft.Owin.Security.OpenIdConnect not compatible with the latest Microsoft.IdentityModel.XX packages ?

@sankj
Copy link
Author

sankj commented Oct 21, 2024

@eerhardt , @brentschmaltz , @jeffhandley, please take a look at the bug report above and let us know if you need any further information. We are blocked on deploying one of our projects and wanted to understand what the next steps / resolution would be here.

@halter73
Copy link
Member

halter73 commented Oct 23, 2024

The first thing that comes to mind is that the Microsoft.IdentityModel NuGet packages are unaligned. Sadly, this is a common problem that can easily happen when the versions of transitive dependencies are left unspecified. AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2513

Looking at the packages in the linked repo (which should really be public accessible given it's a public GitHub issue, but I digress), I see the following PackageReferences (excluding one internal one I'll assume is irrelevant):

  <ItemGroup>
    <PackageReference Include="jQuery" Version="3.6.0" />
    <PackageReference Include="Microsoft.AspNet.Mvc" Version="5.2.9" />
    <PackageReference Include="Microsoft.AspNet.WebPages" Version="3.2.9" />
    <PackageReference Include="Microsoft.Owin" Version="4.2.2" />
    <PackageReference Include="Microsoft.Owin.Host.SystemWeb" Version="4.2.2" />
    <PackageReference Include="Microsoft.Owin.Hosting" Version="4.2.2" />
    <PackageReference Include="Microsoft.Owin.Security" Version="4.2.2" />
    <PackageReference Include="Microsoft.Owin.Security.Cookies" Version="4.2.2" />
    <PackageReference Include="Microsoft.Owin.Security.WsFederation" Version="4.2.2" />
    <PackageReference Include="Microsoft.Owin.Security.OpenIdConnect" Version="4.2.2" />
    <PackageReference Include="Newtonsoft.Json" Version="$(NewtonsoftJsonPackageVersion)" />
    <PackageReference Include="Owin" Version="1.0.0" />
    <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="7.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Logging" Version="7.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.0.2" />
    <PackageReference Include="System.Buffers" Version="4.5.1">
      <IncludeAssets>runtime</IncludeAssets>
    </PackageReference>
    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.0.2" />
    <PackageReference Include="System.Management.Automation.dll" Version="10.0.10586" />
    <PackageReference Include="System.Numerics.Vectors" Version="4.5.0">
      <IncludeAssets>runtime</IncludeAssets>
    </PackageReference>
    <PackageReference Include="System.Runtime.CompilerServices.Unsafe" Version="6.0.0">
      <IncludeAssets>runtime</IncludeAssets>
    </PackageReference>
  </ItemGroup>

This leaves the following transitive package list:

   Top-level Package                                      Requested    Resolved
   > jQuery                                               3.6.0        3.6.0
   > Microsoft.AspNet.Mvc                                 5.2.9        5.2.9
   > Microsoft.AspNet.WebPages                            3.2.9        3.2.9
   > Microsoft.IdentityModel.Logging                      7.0.2        7.0.2
   > Microsoft.IdentityModel.Protocols                    7.0.2        7.0.2
   > Microsoft.IdentityModel.Protocols.OpenIdConnect      7.0.2        7.0.2
   > Microsoft.IdentityModel.Tokens                       7.0.2        7.0.2
   > Microsoft.Owin                                       4.2.2        4.2.2
   > Microsoft.Owin.Host.SystemWeb                        4.2.2        4.2.2
   > Microsoft.Owin.Hosting                               4.2.2        4.2.2
   > Microsoft.Owin.Security                              4.2.2        4.2.2
   > Microsoft.Owin.Security.Cookies                      4.2.2        4.2.2
   > Microsoft.Owin.Security.OpenIdConnect                4.2.2        4.2.2
   > Microsoft.Owin.Security.WsFederation                 4.2.2        4.2.2
   > Newtonsoft.Json                                                   3.5.8
   > Owin                                                 1.0.0        1.0.0
   > System.Buffers                                       4.5.1        4.5.1
   > System.IdentityModel.Tokens.Jwt                      7.0.2        7.0.2
   > System.Management.Automation.dll                     10.0.10586   10.0.10586
   > System.Numerics.Vectors                              4.5.0        4.5.0
   > System.Runtime.CompilerServices.Unsafe               6.0.0        6.0.0

   Transitive Package                                    Resolved
   > Microsoft.AspNet.Razor                              3.2.9
   > Microsoft.IdentityModel.Abstractions                7.0.2
   > Microsoft.IdentityModel.JsonWebTokens               7.0.2
   > Microsoft.IdentityModel.Protocols.WsFederation      5.3.0
   > Microsoft.IdentityModel.Tokens.Saml                 5.3.0
   ...

In a perfect world, there would be no breaking changes, and this would be unnecessary, but in practice you have to be vigilant to keep all your dependencies up to date. The short term fix is to directly reference newer versions of the transitive packages:

diff --git a/1.txt b/2.txt
index 677b231..dab7435 100644
--- a/1.txt
+++ b/2.txt
@@ -11,10 +11,15 @@
     <PackageReference Include="Microsoft.Owin.Security.OpenIdConnect" Version="4.2.2" />
     <PackageReference Include="Newtonsoft.Json" Version="$(NewtonsoftJsonPackageVersion)" />
     <PackageReference Include="Owin" Version="1.0.0" />
+    <PackageReference Include="Microsoft.IdentityModel.Abstractions" Version="7.0.2" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.0.2" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="7.0.2" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.0.2" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.WsFederation" Version="7.0.2" />
     <PackageReference Include="Microsoft.IdentityModel.Logging" Version="7.0.2" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.0.2" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens.Saml" Version="7.0.2" />
+    <PackageReference Include="Microsoft.IdentityModel.Xml" Version="7.0.2" />
     <PackageReference Include="System.Buffers" Version="4.5.1">
       <IncludeAssets>runtime</IncludeAssets>
     </PackageReference>

Long term, it would probably be best to use Nuget's Central Package Management (CPM) feature.

@sankj
Copy link
Author

sankj commented Oct 28, 2024

Thank you @halter73 for your recommendation. I did see that previously, the transitive packages related to Microsoft.Identity.Model.X.X were misaligned. Some of them were pointing to 5.3.3.0 while others at 7.2.0.0. With your recommendation, when we deployed, we can verify that all the transitive packages are aligned with the top level packages. 7.2.0. However, still I am getting the same unable to decode error message.
image.png

@sankj
Copy link
Author

sankj commented Oct 29, 2024

I was talking to @halter73 offline and with his recommendation I was able to inject the Owin logger in our app.
Got some more information when the authentication fails. This is the error that gets returned.
The state field is missing or invalid.
ProcessId=10172

We are able to verify this with the fact that the returned payload that we get does NOT have the state field.

Looking at: OpenIdConnectAuthenticationOptions,
I see that : RequireStateValidation is passed in as false.

However, looking at: Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectProtocolValidator.cs
I see that : RequireState is defaulted to true.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/90dfd314cf39f40aae8f23a51155762d91c3416c/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectProtocolValidator.cs#L72

I am wondering if this mismatch is what is causing the decoding to fail. I am trying to override both of these values for RequestState and RequiredStateValidation as false and see if there is any new outcome.

Stack trace from logs:
Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationMiddleware Error: 0 : Exception occurred while processing message:
System.ArgumentException: IDX12723: Unable to decode the payload 'eyJhdWQiOiJkZTZhYzY5My1lZWNkLTRkMWUtYjJiZi0xOGQxMDkxMzhjYWMiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaWF0IjoxNzMwMjI1NTYyLCJuYmYiOjE3MzAyMjU1NjIsImV4cCI6MTczMDIyOTQ2MiwiYWlvIjoiQWFRQVcvOFlBQUFBRmlOOU5Pd2NRbi81dno3NGZ1Ty8zVjRKRU1tQXlnZ1d2eW1kaWI0ZXBsRkFjYnl3cHkvVG1GVTdVbkhoZ285Y3RHMFJuYktuRElsblRBVDNFZS9pck5qclVxc3VraG5ScjRSVnRvVmdLU3BUQ05WYS9sbElzZHptYmVoci9pWStFdkh6dTdnUzR4b3plMnQ5NHhMbWZzaHhmZ1lzWnBkL2h0MkdCeWQybjh2cnNMUFdiOVd1cXlIMFRWcms3N3hqL2M5KzRJSXZLODNKTnZHWHRvWFhjUT09IiwiYW1yIjpbInJzYSIsIm1mYSJdLCJjX2hhc2giOiJKUzcyWDNQM1VIME1Lc2VCbmdGdklnIiwiZmFtaWx5X25hbWUiOiJKb3NoaSIsImdpdmVuX25hbWUiOiJTYW5rZXQiLCJpcGFkZHIiOiIyMC4yMzYuMTAuMjA2IiwibmFtZSI6IlNhbmtldCBKb3NoaSIsIm5vbmNlIjoiNjM4NjU4MjI2NjEwNjA5MTgwLk1tRTVOREl5TkRJdE56TTRNeTAwTXpRMExXRXlPVFl0TW1RNU1ETTNZekk0WkRobVlqUTRNRE01TnpNdE1USTVZaTAwWmpFeUxUZzVPV0l0WkRJMk5qVTBOREZqWXpBMCIsIm9pZCI6IjQ0YmI4YTU5LTgyYmItNDAxZi1hYjVmLTJmMTkxOTcyNmFkOCIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0yMTI3NTIxMTg0LTE2MDQwMTI5MjAtMTg4NzkyNzUyNy01MDY3NzczIiwicmgiOiIxLkFSb0F2NGo1Y3ZHR3IwR1JxeTE4MEJIYlI1UEdhdDdON2g1TnNyOFkwUWtUakt3YUFHTWFBQS4iLCJzdWIiOiJ4N3VJRU1zREpkX0tNN1lWQTExMjhadVlkRGR3LWxTSG9jYUxINGE2RFFRIiwidGlkIjoiNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3IiwidW5pcXVlX25hbWUiOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1cG4iOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJrZWthcFZmVW5FdTZBREphaEtVdUFBIiwidmVyIjoiMS4wIn0' as Base64Url encoded string. ---> System.IO.FileNotFoundException: Could not load file or assembly 'System.Buffers, Version=4.0.3.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The system cannot find the file specified.
at Microsoft.IdentityModel.Tokens.Base64UrlEncoding.Decode[T](String input, Int32 offset, Int32 length, Func`3 action)
at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.DecodeJws(String payload)
--- End of inner exception stack trace ---
at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.DecodeJws(String payload)
at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ReadJwtToken(String token)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.ValidateToken(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters, JwtSecurityToken& jwt)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.d__11.MoveNext()
ProcessId=10172
DateTime=2024-10-29T18:17:43.9447151Z
Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationMiddleware Warning: 0 : The state field is missing or invalid.
ProcessId=10172
DateTime=2024-10-29T18:17:44.0228434Z

@nbevans
Copy link

nbevans commented Nov 26, 2024

We just had this also. We had only updated the direct transitives, not the indirect. So whilst we had updated the Microsoft.IdentityModel.JsonWebTokens to the 8.2.1 - there was a bunch of other Microsoft.IdentityModel.* packages like Microsoft.IdentityModel.Protocols.OpenIdConnect which were still on an old 5.x.x release. And this meant that OIDC sign-in had broken at runtime. The build itself was totally fine.

For us, the fix was to update ALL transitives in the Microsoft.IdentityModel.* namespace to a matching 8.2.1 version. I would encourage you to audit all your transitives in this regard.

Our project file ended up looking more like this:

		<PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.2.1" />
		<PackageReference Include="Microsoft.IdentityModel.Protocols" Version="8.2.1" />
		<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.2.1" />
		<PackageReference Include="Microsoft.IdentityModel.Protocols.WsFederation" Version="8.2.1" />
		<PackageReference Include="Microsoft.IdentityModel.Tokens.Saml" Version="8.2.1" />
		<PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" />
		<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.2.1" />
		<PackageReference Include="System.Security.Cryptography.Xml" Version="9.0.0" />
...
...

		<PackageReference Include="Microsoft.Owin" version="4.2.2" />
		<PackageReference Include="Microsoft.Owin.Security" version="4.2.2" />
		<PackageReference Include="Microsoft.Owin.Security.ActiveDirectory" Version="4.2.2" />
		<PackageReference Include="Microsoft.Owin.Security.Cookies" Version="4.2.2" />
		<PackageReference Include="Microsoft.Owin.Security.OpenIdConnect" Version="4.2.2" />
		<PackageReference Include="Newtonsoft.Json" version="13.0.3" />
		<PackageReference Include="Owin" version="1.0" />
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants