Recently we have encountered some unusual behavior when customer tries to login using Azure B2C authentication framework.
|
Application Type |
Web |
|
Technology |
.Net
Framework 4.8 Asp.net MVC |
|
CMS |
Sitecore CMS 10.0.0 |
|
Authentication Framework |
Azure B2C .Net MSAL Open Id connect |
Problem Statement:
User idle for 15 mins and user taken back to Website Sign In page to initiate login again.
Root Cause: Token Exchange Failure. Nonce and Codeverifier expires after 15 mins. User Idle on sign In Page for more than 15mins and post that enters credential and results in login loop.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow
Issue reported to Microsoft
Solution: Increase Nonce and Codeverifier expiry timeout.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region private methods | |
| private void RememberCodeVerifier(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n, string codeVerifier) | |
| { | |
| var properties = new AuthenticationProperties(); | |
| properties.Dictionary.Add("cv", codeVerifier); | |
| //if left blank or set to 0, the setting is not used. OOTB default is 15min | |
| if(ConfigurationManager.AppSettings[AzureB2CConstants.Keys.NonceLifetime] != null && | |
| double.TryParse("30", out double lifetime) && lifetime > 0) | |
| { | |
| n.Options.ProtocolValidator.NonceLifetime = TimeSpan.FromMinutes(lifetime); | |
| } | |
| n.Options.CookieManager.AppendResponseCookie( | |
| n.OwinContext, | |
| GetCodeVerifierKey(n.ProtocolMessage.State), | |
| Convert.ToBase64String(Encoding.UTF8.GetBytes(n.Options.StateDataFormat.Protect(properties))), | |
| new CookieOptions | |
| { | |
| SameSite = SameSiteMode.None, | |
| HttpOnly = true, | |
| Secure = n.Request.IsSecure, | |
| Expires = DateTime.UtcNow + n.Options.ProtocolValidator.NonceLifetime | |
| }); | |
| } | |
| private string GetCodeVerifierKey(string state) | |
| { | |
| using (var hash = SHA256.Create()) | |
| { | |
| return OpenIdConnectAuthenticationDefaults.CookiePrefix + "cv." + Convert.ToBase64String(hash.ComputeHash(Encoding.UTF8.GetBytes(state))); | |
| } | |
| } | |
| private string RetrieveCodeVerifier(AuthorizationCodeReceivedNotification n) | |
| { | |
| string key = GetCodeVerifierKey(n.ProtocolMessage.State); | |
| string codeVerifierCookie = n.Options.CookieManager.GetRequestCookie(n.OwinContext, key); | |
| if (codeVerifierCookie != null) | |
| { | |
| var cookieOptions = new CookieOptions | |
| { | |
| SameSite = SameSiteMode.None, | |
| HttpOnly = true, | |
| Secure = n.Request.IsSecure | |
| }; | |
| n.Options.CookieManager.DeleteCookie(n.OwinContext, key, cookieOptions); | |
| var cookieProperties = n.Options.StateDataFormat.Unprotect(Encoding.UTF8.GetString(Convert.FromBase64String(codeVerifierCookie))); | |
| cookieProperties.Dictionary.TryGetValue("cv", out var codeVerifier); | |
| return codeVerifier; | |
| } | |
| return string.Empty; | |
| } | |
No comments :
Post a Comment