|
1 | 1 | --- |
2 | 2 | title: Resolving nonce validation errors in ASP.NET MVC with OpenID Connect |
3 | | -description: This article provides solutions to the common nonce validation errors encountered in ASP.NET MVC apps using OpenID Connect middleware. |
| 3 | +description: This article provides solutions to the common nonce validation errors that are encountered in ASP.NET MVC apps by using OpenID Connect middleware. |
4 | 4 | ms.date: 01/02/2025 |
5 | 5 | ms.author: bachoang |
6 | 6 | ms.service: entra-id |
7 | 7 | ms.custom: sap:Development Developing or Registering apps with Microsoft identity platform |
8 | 8 | --- |
9 | 9 |
|
10 | | -# ValidationContext.Nonce is null errors in ASP.NET MVC apps |
| 10 | +# "ValidationContext.Nonce is null" errors in ASP.NET MVC apps |
11 | 11 |
|
12 | | -This article provides solutions to the common nonce validation errors encountered in ASP.NET MVC apps using OpenID Connect (OIDC) middleware. |
| 12 | +This article provides solutions to the common nonce validation errors that you might encounter in ASP.NET MVC apps by using OpenID Connect (OIDC) middleware. |
13 | 13 |
|
14 | 14 | ## Common error messages |
15 | 15 |
|
16 | | -Depending on the version of Open Web Interface for .NET (OWIN) being used, you may encounter one of the following error messages: |
| 16 | +Depending on the version of Open Web Interface for .NET (OWIN) that you use, you might receive one of the following error messages: |
17 | 17 |
|
18 | 18 | - IDX21323: RequireNonce is '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you do not need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false. |
19 | 19 |
|
20 | | -- IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you do not need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false. |
| 20 | +- IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you do not need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to errorsfalse. |
21 | 21 |
|
22 | 22 | ## Understanding nonce cookies |
23 | 23 |
|
24 | | -The ASP.NET OIDC middleware uses a nonce cookie to prevent [replay attacks](/dotnet/framework/wcf/feature-details/replay-attacks). As mentioned in the error, the app throws the exception when it can't find the nonce cookie in the authenticated request. Cookies are domain-based, meaning that once they're set for a specific domain, all subsequent requests to that domain will include these cookies until they expire or are deleted. |
| 24 | +The ASP.NET OIDC middleware uses a nonce cookie to prevent [replay attacks](/dotnet/framework/wcf/feature-details/replay-attacks). The app throws the exception if it can't find the nonce cookie in the authenticated request. Cookies are domain-based. This means that if the cookies are set for a specific domain, all subsequent requests to that domain will include the cookies until they expire or are deleted. |
25 | 25 |
|
26 | | -The following are Fiddler traces about how these cookies are set and used in a working flow: |
| 26 | +The following Fiddler traces describe how these cookies are set and used in a working flow: |
27 | 27 |
|
28 | | -1. In frame 116, the browser sends a request to the OIDC app protected by Microsoft Entra ID. After receiving the request, the app detects that it isn't authenticated and redirects it to Microsoft Entra ID (`login.microsoftonline.com`) for authentication. Additionally, the app sets the `OpenIdConnect.nonce` cookie in the 302 redirect response. |
| 28 | +- In Frame 116, the browser sends a request to the OIDC app that's protected by Microsoft Entra ID. After receiving the request, the app detects that it isn't authenticated. It then redirects the request to Microsoft Entra ID (`login.microsoftonline.com`) for authentication. Additionally, the app sets the `OpenIdConnect.nonce` cookie in the "302" redirect response. |
29 | 29 |
|
30 | 30 | :::image type="content" source="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-start-auth.png" alt-text="Screenshot of Frame 116 in Fiddler Trace." lightbox="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-start-auth.png"::: |
31 | 31 |
|
32 | | -2. After successful authentication (frame 120 – 228), Microsoft Entra ID redirects the request back to the web app (frame 229) with the authenticated ID token. The nonce cookie previously set for this domain is also included in the POST request. The OIDC middleware validates the authenticated token and the nonce cookie before it continues loading the page (via another redirect). At this point, the nonce cookie's purpose is complete, and the app invalidates it by setting the expiration attribute to expire. |
| 32 | +- After successful authentication (Frame 120–228), Microsoft Entra ID redirects the request back to the web app (Frame 229) together with the authenticated ID token. The nonce cookie that was previously set for this domain is also included in the POST request. The OIDC middleware validates the authenticated token and the nonce cookie before it continues to load the page (through another redirect). At this point, the nonce cookie's purpose is finished, and the app invalidates it by setting the expiration attribute to expire. |
33 | 33 |
|
34 | | - :::image type="content" source="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-after-auth.png" alt-text="Screenshot of Fiddler Trace Frames about authentication." lightbox="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-after-auth.png"::: |
| 34 | + :::image type="content" source="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-after-auth.png" alt-text="Screenshot of Fiddler Trace Frames related to authentication." lightbox="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-after-auth.png"::: |
35 | 35 |
|
36 | 36 | ## Solution |
37 | 37 |
|
38 | 38 | ### Cause 1: Multiple domains are used for the same website |
39 | 39 |
|
40 | | -The browser originally navigates to the app on domain A (frame 9 below), and the nonce cookie is set for this domain. Later, Microsoft Entra ID sends the authenticated token to domain B (frame 91). Since the redirection to domain B doesn't include the nonce cookie, the web app throws the `validationContext.Nonce is null` error. |
| 40 | +The browser originally navigates to the app on Domain A (Frame 9), and the nonce cookie is set for this domain. Later, Microsoft Entra ID sends the authenticated token to Domain B (Frame 91). Because the redirection to Domain B doesn't include the nonce cookie, the web app throws the `validationContext.Nonce is null` error. |
41 | 41 |
|
42 | | -:::image type="content" source="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-multiple-domains.png" alt-text="Screenshot of Fiddler Trace Frames about cause 1." lightbox="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-multiple-domains.png"::: |
| 42 | +:::image type="content" source="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-multiple-domains.png" alt-text="Screenshot of Fiddler Trace Frames related to Cause 1." lightbox="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-multiple-domains.png"::: |
43 | 43 |
|
44 | | -#### Solution |
| 44 | +### Solution 1 |
45 | 45 |
|
46 | 46 | To resolve this issue, follow these steps: |
47 | 47 |
|
48 | | -1. Redirect the request back to the same domain used originally after authentication. To control where Azure AD sent the authenticated request back to the app, set the `OpenIdConnectAuthentications.RedirectUri` property in the `ConfigureAuth` method. |
| 48 | +1. Redirect the request back to the same domain that was originally used after authentication. To control where Azure AD sent the authenticated request back to the app, set the `OpenIdConnectAuthentications.RedirectUri` property in the `ConfigureAuth` method. |
49 | 49 |
|
50 | | -1. Configure the redirect URI (reply URL) in App Registration, otherwise you may receive the following error: AADSTS50011: The reply url specified in the request doesn't match the reply urls configured for the app. For more information, see [Error AADSTS50011 with OpenID authentication](error-code-aadsts50011-redirect-uri-mismatch.md). |
| 50 | +1. Configure the redirect URI (reply URL) in App Registration. Otherwise you might receive the following error: AADSTS50011: The reply URL that's specified in the request doesn't match the reply URLs that Azure configured for the app. For more information, see [Error AADSTS50011 with OpenID authentication](error-code-aadsts50011-redirect-uri-mismatch.md). |
51 | 51 |
|
52 | 52 | ### Cause 2: Missing SameSite attributes |
53 | 53 |
|
54 | | -Due to the [SameSite cookie security updates](/azure/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser?tabs=dotnet), all cookies involved in the authentication process, including Nonce cookies, should contain the following attributes: |
| 54 | +Because of the [SameSite cookie security updates](/azure/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser?tabs=dotnet), all cookies that are involved in the authentication process (including Nonce cookies) should contain the following attributes: |
55 | 55 |
|
56 | 56 | - SameSite=None |
57 | 57 | - Secure |
58 | 58 |
|
59 | 59 | For more information, see [SameSite cookies and the Open Web Interface for .NET](/aspnet/samesite/owin-samesite). |
60 | 60 |
|
61 | | - |
| 61 | + |
62 | 62 |
|
63 | | -### Solution |
| 63 | +### Solution 2 |
64 | 64 |
|
65 | | -To make sure both of the above requirements are satisfied, follow these steps: |
| 65 | +To make sure that both the required attributes are included, follow these steps: |
66 | 66 |
|
67 | 67 | 1. Use the HTTPS protocol to navigate to the web app. |
68 | 68 | 1. Update .NET Framework and NuGet packages: |
69 | | - - For .NET Framework apps: Upgrade .NET Framework to version 4.7.2+ and relevant NuGet packages (Microsoft.Owin.Security.OpenIdConnect, Microsoft.Owin) to version 4.1.0+. |
| 69 | + - For .NET Framework apps: Upgrade .NET Framework to version 4.7.2+ and relevant NuGet packages (Microsoft.Owin.Security.OpenIdConnect, Microsoft.Owin) to version 4.1.0+. |
70 | 70 | - For .NET Core apps: |
71 | | - - Version 2.x apps should use .NET Core 2.1+ |
72 | | - - Version 3.x apps should use .NET Core 3.1+ |
| 71 | + - Version 2._x_ apps should use .NET Core 2.1+. |
| 72 | + - Version 3._x_ apps should use .NET Core 3.1+. |
73 | 73 |
|
74 | 74 | Example configuration code for Startup.Auth.cs: |
75 | 75 |
|
@@ -111,7 +111,7 @@ namespace NetWebAppOIDC2 |
111 | 111 | AuthenticationFailed = OnAuthenticationFailed |
112 | 112 | } |
113 | 113 |
|
114 | | - // Don't use SystemwebCookieManager class here to override the default CookieManager as that seems to negate the SameSite cookie attribute being set |
| 114 | + // Don't use SystemwebCookieManager class here to override the default CookieManager because that seems to negate the SameSite cookie attribute that's being set. |
115 | 115 | // CookieManager = new SystemWebCookieManager() |
116 | 116 |
|
117 | 117 | }); |
|
0 commit comments