When Microsoft’s OpenID Connect middleware is used along with Chrome version 80 or above, the following exception can be seen:
IDX21323: RequireNonce is ‘System.Boolean’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is found it will be evaluated.
This article describes how to troubleshoot this error.
- ASP .Net MVC application using Microsoft’s OpenID Connect Middleware
- Okta Classic Engine
Nonce cookie is used by Microsoft’s OpenIDConnect middleware to mitigate replay attacks. This exception is usually thrown when an OpenIdConnect middleware encounters an invalid nonce or a missing nonce cookie.
Before explaining why the nonce cookie could be missing, one should first understand when the middleware sets this cookie.
In the following picture, see that the browser sends a GET request to the application https://example.com/Account/LogOn.Because the user is not authenticated, the application redirects the request to the OpenID provider configured in the middleware (in this case, it is Okta). In the highlighted request below, see the 302 with the location set to https://login.example.com/oauth2/default/v1/authorize. The application middleware also sets the OpenIdConnect.nonce cookie.
Upon successful authentication of the user, the OpenID provider sends a POST request with a ‘code’ (which is to be exchanged for a token) to the application’s callback, in this case, https:// example.com/Account/Logon. All the requests to this application domain will have the unexpired cookies that are set for that particular domain. Therefore, the POST request should contain the nonce cookie.
Application middleware uses this nonce cookie for nonce validation by comparing it with the nonce claim in the token to mitigate replay attacks and errors out with IDX21323 error when it cannot find the nonce cookie.
Nonce cookie missing?
One of the reasons why the nonce cookie could be missing when using Chrome version 80 and above is that when the Chrome flag Cookies without SameSite must be secure is set to Default or to Enabled, Chrome does not save the cookies with SameSite=None if the secure attribute is missing. The secure attribute is only set when using the https:// prefix in the URL and is not set if the prefix is http://.
See the flags by typing chrome://flags in the URL bar and look for this flag in the list of results.
Make sure that all website traffic is over https. Sometimes it could be a configuration that needs to be fixed in the application to ensure https, depending on the .net implementation like:
- Add this to Configuration() in Startup.cs:
AuthenticationType = “Cookies”, // if it still fails, change it to “ApplicationCookie”CookieSameSite = SameSiteMode.None,CookieSecure = CookieSecureOption.Always
- And add this to web.config:
<system.web>
<sessionState cookieSameSite=”None”/><httpCookies requireSSL=”true” /></system.web>
- Or instead of using .AddCookie(), use:
.AddCookie(options => { options.Cookie.SameSite = SameSiteMode.None; options.Cookie.SecurePolicy = CookieSecurePolicy.Always; options.Cookie.IsEssential = true; });
Another possibility is that SSL is not enabled in Visual Studio or in the Windows VM. Enabling SSL to enforce https should resolve the problem.
If the application is sitting behind a proxy or a load balancer, one should also check the configuration for https. For example, if using an AWS load balancer, make sure the port used for communication between the load balancer and the app server is 443 and not 80.
If using an F5 load balancer in the environment, make sure to apply an iRule to set a nonce cookie with SameSite=NONE and secure.
