dotnet
Custom state not set for OpenIdConnectProtocolValidator
Is there an existing issue for this?
- [X] I have searched the existing issues
Describe the bug
We are currently in the process of hardening our OIDC implementation. As part of this, we want to add an antiforgery token to the state and validate it when getting the response from the IDP.
However, when using context.ProtocolMessage.State, enabling state validation on OpenIdConnectProtocolValidator causes an exception.
Expected Behavior
After enabling RequireState and RequireStateValidation, any state set in context.ProtocolMessage.State should be validated automatically.
Steps To Reproduce
When configuring OpenIdConnect, I am enabling both RequireState and RequireStateValidation:
options.ProtocolValidator.RequireState = true;
options.ProtocolValidator.RequireStateValidation = true;
Then in OnRedirectToIdentityProvider, I am configuring a custom state:
options.Events.OnRedirectToIdentityProvider = (RedirectContext context) =>
{
context.ProtocolMessage.State = "AntiForgery token will go here";
return Task.CompletedTask;
};
This will result in the following exception:
OpenIdConnectProtocolInvalidStateException: IDX21329: RequireState is 'System.Boolean' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.
After further investiation, I see that inside the OpenIdConnectProtocolValidator, OpenIdConnectProtocolValidationContext.State remains null.
When looking into where this is created, it seems that State is never set on this context: https://github.com/dotnet/aspnetcore/blob/9efaf0e84dead340be574a27c6924efb5ffaa39b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L684
Exceptions (if any)
OpenIdConnectProtocolInvalidStateException: IDX21329: RequireState is 'System.Boolean' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.
.NET Version
7.0.403
Anything else?
When looking into where this is created, it seems that State is never set on this context: https://github.com/dotnet/aspnetcore/blob/9efaf0e84dead340be574a27c6924efb5ffaa39b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L684
After some experimenting with this, it seems there are two issues:
- State validation on OpenIdConnectProtocolValidator does not work at all. Even if the original state is not altered, setting both RequireState and RequireStateValidation to true will never work due to the state not being set on the context.
HOWEVER: If the incorrect state is passed, it does result in exceptions. So at least some checks are done on it. Looking in OpenIdConnectHandler, I do see a ValidateCorrelationId method being called, but I am unsure if this actually validates the state itself: https://github.com/dotnet/aspnetcore/blob/c8ef35df22225230b5524ba824b97c5099c87475/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L612
- Setting context.ProtocolMessage.State in OnRedirectToIdentityProvider handler does not change the state being sent to the IDP. It does however change the state in OpenIdConnectProtocolValidationContext.ProtocolMessage.State (but OpenIdConnectProtocolValidationContext.State remains null)
I also need to know how to leverage the state, is there any update or expected timeline on this?
I have closed and reopened this issue as suggested by the bot above, yet the "pending-ci-rerun" label is not removed.
Leaving this comment to inform that I have rechecked, and the issue is still there.