Skip to content

59462 OIDC par failure #61947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

59462 OIDC par failure #61947

wants to merge 8 commits into from

Conversation

bigred8982
Copy link

Add OIDC event to allow caller to react to OIDC PAR failure during challenge phase

Description

Add new OIDC OnPushAuthorizationFailed, new context for this event, logic to fire event, tests.

Problem

When a validation failure occurs during a PAR request (ex. the request includes an invalid client_id), an OpenIdConnectProtocolException is thrown. This exception bubbles up as an unhandled middleware exception.

Please see issue #59462 for slightly more details.

Goal

We need to give the application the ability to handle the response when a PAR request fails during the challenge phase. Since an exception during the challenge phase bubbles up as a middleware exception, it is difficult for the application to respond. By including a specific OIDC event, the application has the opportunity to redirect the browser to a user-friendly error page.

Example of a web app utilizing this new feature

builder.Services.AddAuthentication(...)
  .AddOpenIdConnect("oidc", options => 
  {
    ...
    options.Events.OnPushAuthorizationFailed = (ctx) => {
        var logger = ctx.HttpContext.RequestServices.GetRequiredService<ILogger<Program>>();
        logger.LogError(ctx.Exception, "Received error while sending PAR request.");
        
        ctx.Response.Redirect("FriendlyErrorPage");
        ctx.Handled = true;
        return Task.CompletedTask;
    };
  });

Fixes #59462

@bigred8982 bigred8982 requested a review from halter73 as a code owner May 14, 2025 22:32
@github-actions github-actions bot added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label May 14, 2025
@dotnet-policy-service dotnet-policy-service bot added the community-contribution Indicates that the PR has been added by a community member label May 14, 2025
@bigred8982
Copy link
Author

@dotnet-policy-service agree company="Tyler Technologies"

@bigred8982
Copy link
Author

Would love feedback from @josephdecock

Also, I'm not sure if this should go into main, but I'd like to see it show up in at least the 10.0 release (it's probably too late to get it into 9).

@bigred8982 bigred8982 marked this pull request as draft May 14, 2025 22:55
@bigred8982 bigred8982 marked this pull request as ready for review May 15, 2025 15:22
@bigred8982
Copy link
Author

If there anything else I need to do process-wise to make this PR ready for review, please let me know. This is my first contribution and I might have accidentally missed a step.

@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Looks like this PR hasn't been active for some time and the codebase could have been changed in the meantime.
To make sure no conflicting changes have occurred, please rerun validation before merging. You can do this by leaving an /azp run comment here (requires commit rights), or by simply closing and reopening.

@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Jun 4, 2025
@bigred8982 bigred8982 changed the title Bigred8982/issue 59462 OIDC par failure 59462 OIDC par failure Jun 12, 2025
@bigred8982
Copy link
Author

/azp run

@azure-pipelines Azure Pipelines
Copy link

Commenter does not have sufficient privileges for PR 61947 in repo dotnet/aspnetcore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer community-contribution Indicates that the PR has been added by a community member pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OIDC - Validation failure during PAR does not trigger OnAuthenticationFailed() event
1 participant
@bigred8982