IDX21323: RequireNonce is 'True'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValid

Question

I have an asp.net MVC application and I have registered application in azure directory for Microsoft Identity Platform and same details were configured in web.config, Startup.cs file and tried few approaches to resolve the error but no luck. Below i have pasted the code which i am using in my application please let me know what changes are required to resolve the issue Below are web.config file changes

ClientId: XXXXX-XXXXX-XXXX-3b59
TenantID: XXXX-XXXX-XXXX-d086
Authority: https://login.microsoftonline.com/{0}/v2.0
redirectUri: http://localhost/XXXX
  <system.web>
    <sessionState cookieSameSite="None"/>
    <httpCookies requireSSL="true"/>
  </system.web>

Startup.cs file changes

// The Client ID is used by the application to uniquely identify itself to Azure AD.
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];

// RedirectUri is the URL where the user will be redirected to after they sign in.
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["redirectUri"];

// Tenant is the tenant ID (e.g. contoso.onmicrosoft.com, or 'common' for multi-tenant)
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];

string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant); 


public void Configuration(IAppBuilder app)
        {

            IdentityModelEventSource.ShowPII = true;

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            

            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationType = "ApplicationCookie",
                CookieSameSite = SameSiteMode.None,
                CookieSecure = CookieSecureOption.Always,
                CookieHttpOnly = true
               
            });

            
           OpenIdConnectProtocolValidator dd = new OpenIdConnectProtocolValidator()
           {
               RequireNonce = false,
           };
           

            app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // Sets the ClientId, authority, RedirectUri as obtained from web.config
                ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
                PostLogoutRedirectUri = redirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,
                // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
               

                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = false
                },

                // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
                Notifications = new OpenIdConnectAuthenticationNotifications
                {

                    AuthenticationFailed = OnAuthenticationFailed

                }
            }
        );
    }

private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
  context.HandleResponse();
  context.Response.Redirect("/?errormessage=" + context.Exception.Message);
  return Task.FromResult(0);
}

Error Details: IDX21323: RequireNonce is 'True'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

Answer 1

Hello @Akshay Bagi , the nonce query param is required when requesting an ID Token. Do not disable it and try sending a challenge after the failed auth, as suggedted in Azure Active Directory authentication error OWIN. If the issue persists [email your project source code to azcommunity@microsoft.com with Subject Attn: Alfredo Revilla]. You should not include Personally Identifiable Information (PII).

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
    {
        Notifications = new OpenIdConnectAuthenticationNotifications()
        {
            AuthenticationFailed = AuthenticationFailedNotification<OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> authFailed =>
            {
                if (authFailed.Exception.Message.Contains("IDX21323"))
                {
                    authFailed.HandleResponse();
                    authFailed.OwinContext.Authentication.Challenge();
                }

                await Task.FromResult(true);
            }
        }
    });

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Answer 2

Please install URL rewriting in IIS and add the following content to the Web.config file!

  <system.webServer>
	<rewrite>
	  <outboundRules>
	    <rule name="AddSameSiteCookieFlag">
	      <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)=(.*)$" />
	      <action type="Rewrite" value="{R:0};SameSite=none; Secure" />
	    </rule>
	  </outboundRules>
	</rewrite>
  </system.webServer>

Answer 3

It seems you've tried to set RequireNonce to false, but the error persists. In your current code, you created a new OpenIdConnectProtocolValidator instance with RequireNonce set to false but didn't use it in your OpenIdConnectAuthenticationOptions. To fix the issue, you should set the ProtocolValidator property in the OpenIdConnectAuthenticationOptions to the instance you created. Example Code

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        // Sets the ClientId, authority, RedirectUri as obtained from web.config
        ClientId = clientId,
        Authority = authority,
        RedirectUri = redirectUri,
        // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
        PostLogoutRedirectUri = redirectUri,
        Scope = OpenIdConnectScope.OpenIdProfile,
        // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
        ResponseType = OpenIdConnectResponseType.CodeIdToken,

        TokenValidationParameters = new TokenValidationParameters()
        {
            ValidateIssuer = false
        },

        // Add the ProtocolValidator property here
        ProtocolValidator = dd,

        // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
        Notifications = new OpenIdConnectAuthenticationNotifications
        {

            AuthenticationFailed = OnAuthenticationFailed

        }
    }
);

Answer 4

Any one please can help i have same issue