Microsoft.Owin.Security.OpenIdConnect not compatible with the latest Microsoft.IdentityModel.XX packages #109032
Labels
needs-area-label
An area label is needed to ensure this gets routed to the appropriate area owners
Comments
dotnet-issue-labeler
bot
added
the
needs-area-label
dotnet-policy-service
bot
added
the
untriaged
|
The issue is discussed at aspnet/AspNetKatana#544. Closing as a duplicate. |
dotnet-policy-service
bot
removed
the
untriaged
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
We host a MVC .NET web application that takes a dependency on:
https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect/#versions-body-tab to implement OAuth2.0.
What we have found so far is that Microsoft.Owin.Security.OpenIdConnect 4.2.2 takes a dependency on Microsoft.IdentityModel.xxx - 6.11.1.0. However, we had to upgrade the identity model packages to Microsoft.IdentityModel.xxx to 7.6.0. What we have found is Microsoft.Owin.Security.OpenIdConnect 4.2.2 does not work with Microsoft.IdentityModel.xxx to 7.6.0.
We have not seen any update to the package: (https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect) since 2022.
Symptoms:
The project builds successfully. However, our application throws an "Unable to decode payload" error when OAuth is being made.
What we found out further was that:
Microsoft.IdentityModel.xxx - 6.11.1.0 takes dependency on Newtonsoft
Microsoft.IdentityModel.xxx to 7.6.0 takes dependency on System.Text.Json
Possibly that is the reason we are getting Unable to decode error ?
What are the recommended next steps to go forward here to help us unblock?
Reproduction Steps
Code snippet:
Repo link: https://microsoft.visualstudio.com/EngSys/_git/nebula?path=/Core/Nebula%20WFE/CloudMan.Web/App_Start/Startup.Auth.cs&version=GBmain&line=56&lineEnd=71&lineStartColumn=1&lineEndColumn=20&lineStyle=plain&_a=contents
Code:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = async context =>
{
await Task.Yield();
context.HandleResponse();
context.Response.Redirect("Home/Error?message=" + context.Exception.Message);
}
}
});
Our MVC application uses the above code snippet to perform the OAuth2.0 authentication. Here, the authentication fails while doing the OAuth2.0.
Repro steps:
2.a Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is
temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Home/Error
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4762.0
2.b In the web Url address bar, we see this error:
https://cloudmanbvt.corp.microsoft.com/Home/Error?message=IDX12723:%20Unable%20to%20decode%20the%20payload%20%27eyJhdWQiOiJkZTZhYzY5My1lZWNkLTRkMWUtYjJiZi0xOGQxMDkxMzhjYWMiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaWF0IjoxNzI5MjgxMzMxLCJuYmYiOjE3MjkyODEzMzEsImV4cCI6MTcyOTI4NTIzMSwiYWlvIjoiQWFRQVcvOFlBQUFBeVo2Z3VHclVrWHBoQmpzZXFtSUVHTzFDVWtjdHFwYUVpS1ZLOXpKZFlRZk5ydWpTN05uRCtPRTRLSStCaUJDZlZaMnp0SUNKc2lKZ3FPMjY0N05GZHdyM1MrSTQ4dDRrdUhhMEhzMmo1UjJDRWFZcVBVUWw4YXZ1ekc3aWNOckxSclRlUmU0Ly9mTm5pV0NneEwyS2QvNnVjMGRtTEZsYThoTUFrVUFwVkdQRm5Oc0NPRWJrYWtlc1VSQ2hyVFdlVTZueFRGVlloYnBZNmRxZUQ2dDJ1QT09IiwiYW1yIjpbInJzYSIsIm1mYSJdLCJjX2hhc2giOiJuaWFoeVk1cFBJQXI0amlaODJCWGt3IiwiZmFtaWx5X25hbWUiOiJKb3NoaSIsImdpdmVuX25hbWUiOiJTYW5rZXQiLCJpcGFkZHIiOiIyMC4yMzYuMTAuMTYzIiwibmFtZSI6IlNhbmtldCBKb3NoaSIsIm5vbmNlIjoiNjM4NjQ4Nzg0Mjk3MjQxNjQ1Lk9XSTFOREEzTXpjdFltUXpNQzAwT0RrMUxUbGhZVFV0TXpFME16ZzRZbVV5WldZeE1XVmlPVEV5WlRFdFkyRXlaQzAwWWpjMExUZzFZell0WW1FNVpURmpabU15TWpoayIsIm9pZCI6IjQ0YmI4YTU5LTgyYmItNDAxZi1hYjVmLTJmMTkxOTcyNmFkOCIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0yMTI3NTIxMTg0LTE2MDQwMTI5MjAtMTg4NzkyNzUyNy01MDY3NzczIiwicmgiOiIxLkFSb0F2NGo1Y3ZHR3IwR1JxeTE4MEJIYlI1UEdhdDdON2g1TnNyOFkwUWtUakt3YUFHTWFBQS4iLCJzdWIiOiJ4N3VJRU1zREpkX0tNN1lWQTExMjhadVlkRGR3LWxTSG9jYUxINGE2RFFRIiwidGlkIjoiNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3IiwidW5pcXVlX25hbWUiOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1cG4iOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJERm1hOFp3QlZVT3U2SHROcldFYUFBIiwidmVyIjoiMS4wIn0%27%20as%20Base64Url%20encoded%20string.
Expected behavior
Expected behavior is that we get authenticated and are redirected to the following Url (https://cloudmanbvt.corp.microsoft.com) and see the page display.
Actual behavior
As I mentioned earlier in the repro steps this is the error we see.
Repro steps:
2.a Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is
temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Home/Error
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4762.0
2.b In the web Url address bar, we see this error:
https://cloudmanbvt.corp.microsoft.com/Home/Error?message=IDX12723:%20Unable%20to%20decode%20the%20payload%20%27eyJhdWQiOiJkZTZhYzY5My1lZWNkLTRkMWUtYjJiZi0xOGQxMDkxMzhjYWMiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaWF0IjoxNzI5MjgxMzMxLCJuYmYiOjE3MjkyODEzMzEsImV4cCI6MTcyOTI4NTIzMSwiYWlvIjoiQWFRQVcvOFlBQUFBeVo2Z3VHclVrWHBoQmpzZXFtSUVHTzFDVWtjdHFwYUVpS1ZLOXpKZFlRZk5ydWpTN05uRCtPRTRLSStCaUJDZlZaMnp0SUNKc2lKZ3FPMjY0N05GZHdyM1MrSTQ4dDRrdUhhMEhzMmo1UjJDRWFZcVBVUWw4YXZ1ekc3aWNOckxSclRlUmU0Ly9mTm5pV0NneEwyS2QvNnVjMGRtTEZsYThoTUFrVUFwVkdQRm5Oc0NPRWJrYWtlc1VSQ2hyVFdlVTZueFRGVlloYnBZNmRxZUQ2dDJ1QT09IiwiYW1yIjpbInJzYSIsIm1mYSJdLCJjX2hhc2giOiJuaWFoeVk1cFBJQXI0amlaODJCWGt3IiwiZmFtaWx5X25hbWUiOiJKb3NoaSIsImdpdmVuX25hbWUiOiJTYW5rZXQiLCJpcGFkZHIiOiIyMC4yMzYuMTAuMTYzIiwibmFtZSI6IlNhbmtldCBKb3NoaSIsIm5vbmNlIjoiNjM4NjQ4Nzg0Mjk3MjQxNjQ1Lk9XSTFOREEzTXpjdFltUXpNQzAwT0RrMUxUbGhZVFV0TXpFME16ZzRZbVV5WldZeE1XVmlPVEV5WlRFdFkyRXlaQzAwWWpjMExUZzFZell0WW1FNVpURmpabU15TWpoayIsIm9pZCI6IjQ0YmI4YTU5LTgyYmItNDAxZi1hYjVmLTJmMTkxOTcyNmFkOCIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0yMTI3NTIxMTg0LTE2MDQwMTI5MjAtMTg4NzkyNzUyNy01MDY3NzczIiwicmgiOiIxLkFSb0F2NGo1Y3ZHR3IwR1JxeTE4MEJIYlI1UEdhdDdON2g1TnNyOFkwUWtUakt3YUFHTWFBQS4iLCJzdWIiOiJ4N3VJRU1zREpkX0tNN1lWQTExMjhadVlkRGR3LWxTSG9jYUxINGE2RFFRIiwidGlkIjoiNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3IiwidW5pcXVlX25hbWUiOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1cG4iOiJzYW5rZXRqQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJERm1hOFp3QlZVT3U2SHROcldFYUFBIiwidmVyIjoiMS4wIn0%27%20as%20Base64Url%20encoded%20string.
Regression?
Yes, this is working when the Microsoft.Owin.Security.OpenIdConnect 4.2.2 dll is referencing Microsoft.IdentityModel.xxx - 6.11.1.0. However, once we upgraded Microsoft.IdentityModel.xxx - 6.11.1.0 to Microsoft.IdentityModel.xxx to 7.6.0, we started getting the above error.
Known Workarounds
None
Configuration
Which version of .NET is the code running on?
.NET Framework 4.7.2
What OS and version, and what distro if applicable?
this is running on a VM with OS22
What is the architecture (x64, x86, ARM, ARM64)?
X64
Other information
Symptoms:
The project builds successfully. However, our application throws an "Unable to decode payload" error when OAuth is being made.
What we found out further was that:
Microsoft.IdentityModel.xxx - 6.11.1.0 takes dependency on Newtonsoft
Microsoft.IdentityModel.xxx to 7.6.0 takes dependency on System.Text.Json
Would that be a reason why Microsoft.Owin.Security.OpenIdConnect not compatible with the latest Microsoft.IdentityModel.XX packages ?
The text was updated successfully, but these errors were encountered: