IDX21323: RequireNonce is 'True'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValid

Akshay Bagi 10 Reputation points
2023-04-25T05:43:06.2066667+00:00

I have an asp.net MVC application and I have registered application in azure directory for Microsoft Identity Platform and same details were configured in web.config, Startup.cs file and tried few approaches to resolve the error but no luck. Below i have pasted the code which i am using in my application please let me know what changes are required to resolve the issue Below are web.config file changes

ClientId: XXXXX-XXXXX-XXXX-3b59
TenantID: XXXX-XXXX-XXXX-d086
Authority: https://login.microsoftonline.com/{0}/v2.0
redirectUri: http://localhost/XXXX
  <system.web>
    <sessionState cookieSameSite="None"/>
    <httpCookies requireSSL="true"/>
  </system.web>

Startup.cs file changes

// The Client ID is used by the application to uniquely identify itself to Azure AD.
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];

// RedirectUri is the URL where the user will be redirected to after they sign in.
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["redirectUri"];

// Tenant is the tenant ID (e.g. contoso.onmicrosoft.com, or 'common' for multi-tenant)
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];

string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant); 


public void Configuration(IAppBuilder app)
        {

            IdentityModelEventSource.ShowPII = true;

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            

            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationType = "ApplicationCookie",
                CookieSameSite = SameSiteMode.None,
                CookieSecure = CookieSecureOption.Always,
                CookieHttpOnly = true
               
            });

            
           OpenIdConnectProtocolValidator dd = new OpenIdConnectProtocolValidator()
           {
               RequireNonce = false,
           };
           

            app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // Sets the ClientId, authority, RedirectUri as obtained from web.config
                ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
                PostLogoutRedirectUri = redirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,
                // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
               

                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = false
                },

                // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
                Notifications = new OpenIdConnectAuthenticationNotifications
                {

                    AuthenticationFailed = OnAuthenticationFailed

                }
            }
        );
    }

private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
  context.HandleResponse();
  context.Response.Redirect("/?errormessage=" + context.Exception.Message);
  return Task.FromResult(0);
}

Error Details: IDX21323: RequireNonce is 'True'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
738 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,899 questions
{count} vote

3 answers

Sort by: Most helpful
  1. 진우 박 10 Reputation points
    2023-12-20T07:49:52.4966667+00:00

    Please install URL rewriting in IIS and add the following content to the Web.config file!

      <system.webServer>
    	<rewrite>
    	  <outboundRules>
    	    <rule name="AddSameSiteCookieFlag">
    	      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)=(.*)$" />
    	      <action type="Rewrite" value="{R:0};SameSite=none; Secure" />
    	    </rule>
    	  </outboundRules>
    	</rewrite>
      </system.webServer>
    
    2 people found this answer helpful.

  2. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,491 Reputation points
    2023-04-26T06:36:53.39+00:00

    Hello @Akshay Bagi , the nonce query param is required when requesting an ID Token. Do not disable it and try sending a challenge after the failed auth, as suggedted in Azure Active Directory authentication error OWIN. If the issue persists [email your project source code to azcommunity@microsoft.com with Subject Attn: Alfredo Revilla]. You should not include Personally Identifiable Information (PII).

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
        {
            Notifications = new OpenIdConnectAuthenticationNotifications()
            {
                AuthenticationFailed = AuthenticationFailedNotification<OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> authFailed =>
                {
                    if (authFailed.Exception.Message.Contains("IDX21323"))
                    {
                        authFailed.HandleResponse();
                        authFailed.OwinContext.Authentication.Challenge();
                    }
    
                    await Task.FromResult(true);
                }
            }
        });
    

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.

  3. Sedat SALMAN 14,145 Reputation points MVP
    2023-04-25T07:49:00.12+00:00

    It seems you've tried to set RequireNonce to false, but the error persists. In your current code, you created a new OpenIdConnectProtocolValidator instance with RequireNonce set to false but didn't use it in your OpenIdConnectAuthenticationOptions. To fix the issue, you should set the ProtocolValidator property in the OpenIdConnectAuthenticationOptions to the instance you created. Example Code

    
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Sets the ClientId, authority, RedirectUri as obtained from web.config
            ClientId = clientId,
            Authority = authority,
            RedirectUri = redirectUri,
            // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
            PostLogoutRedirectUri = redirectUri,
            Scope = OpenIdConnectScope.OpenIdProfile,
            // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
            ResponseType = OpenIdConnectResponseType.CodeIdToken,
    
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = false
            },
    
            // Add the ProtocolValidator property here
            ProtocolValidator = dd,
    
            // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
    
                AuthenticationFailed = OnAuthenticationFailed
    
            }
        }
    );
    
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.