无法验证OWIN OpenIdConnect中间件IDX10311随机数 [英] OWIN OpenIdConnect Middleware IDX10311 nonce cannot be validated

问题描述

我有一个使用OWIN中间件进行OpenIdConnect的应用程序. startup.cs文件使用app.UseOpenIdConnectAuthentication的标准实现. Cookie已设置为浏览器，但会出现以下错误:

I have an application using the OWIN middleware for OpenIdConnect. The startup.cs file uses the standard implementation of app.UseOpenIdConnectAuthentication. The cookie is set to the browser, but it errors with:

IDX10311:RequireNonce为"true"(默认)，但validationContext.Nonce为null.随机数无法验证.如果不需要检查随机数，请将OpenIdConnectProtocolValidator.RequireNonce设置为"false".

IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.

我发现在像大多数调试项目一样运行小提琴手时，会发生这种情况.返回错误，但是如果我返回该站点，则一切正常，并且我的用户已通过身份验证.运行提琴手时，有人看到过这种行为吗?

I've found that when running fiddler as I do for most debug projects this behavior happens. The error is returned, but if I go back to the site everything is working and my user is authenticated. Has anyone seen this behavior when running fiddler?

提琴手:

• OpenIdConnect中的SecurityTokenValidated通知执行两次.
• 第二次通过IDX10311后引发错误
• 浏览器包含有效的cookie，返回到页面我可以查看有效的User.Identity数据.

没有提琴手的奔跑:

• SecurityTokenValidated在OpenIdConnect中执行一次
• 未引发错误，继续加载控制器操作以进行身份​​验证后重定向Uri
• Cookie也有效，并且User.Identity数据正确.

想法?我可以在不运行fiddler的情况下解决它，但是在调试时最好也运行fiddler来检查流量.

Ideas? I can get around it without running fiddler, but when debugging it would be nice to also run fiddler to inspect traffic.

推荐答案

我知道这已经有一段时间了.我的特定问题是与Fiddler(流量检查器代理)运行时通过IdentityServer进行身份验证有关的IDX10311错误.我添加了一个定制的owin中间件，以在主机名包含"localhost"的情况下捕获并吸收IDX13011.忽略此异常，使我们可以将网站与fiddler一起使用来解决.我认为这会导致身份验证过程中断，尽管我们必须在回调的浏览器地址栏中按Enter才能再次进行，但这只会影响开发.

I know it's been a while on this one. My specific issue was with the IDX10311 error in relation to authenticating with IdentityServer while Fiddler (traffic inspector proxy) was running. I added a custom owin middleware to catch and absorb the IDX13011 in the case where the hostname contained "localhost". Ignoring this exception allowed us to use the site with fiddler as a workaround. I think it causes breaks in the authentication process though where we have to press enter in the browser address bar on the callbacks to get it going again, but this only affects development.

这是我们在中间件中用来吸收错误的invoke方法.我应该指出，尽管我们偶尔也会在生产中看到此错误.没有原因的解释，但我感觉它与IE浏览器上的用户有关.

Here's the invoke method we used in the middleware to absorb the error. I should note though that we have seen this error in production occasionally as well. No explanation for a cause, but I have a feeling it is related to users on IE browsers.

public override async Task Invoke(IOwinContext context) {
        try {
            await Next.Invoke(context);
        } catch (Exception ex) {
            _errorHandling = new ErrorHandling();
            if (ex.Message.Contains("IDX10803")) {
                //do something here to alert your IT staff to a possible IdSvr outage
                context.Response.Redirect("/Error/IdSvrDown?message=" + ex.Message);
            } else if(ex.Message.Contains("IDX10311") && context.Request.Host.Value.Contains("localhost")) {
                //absorb exception and allow middleware to continue
            } else {
                context.Response.Redirect("/Error/OwinMiddlewareError?exMsg=" + ex.Message + "&owinContextName=" + lastMiddlewareTypeName);
            }
        }
    }

这篇关于无法验证OWIN OpenIdConnect中间件IDX10311随机数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！