According to your description, I followed this tutorial and used this code sample to check this issue. The initialization for authentication middle ware would look as follows:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
}
});
Using fiddler to capture the network traces when logging, you could find the OpenIdConnect.nonce cookie would be issued to the browser before the OpenID Connect middleware starting the authentication request as follows:
After user entered the credentials and consent the permissions, the authorization_code,id_token,state would be posted to your specified RedirectUri, then some validation would be executed and generate the new cookie and remove the previous OpenIdConnect.nonce cookie as follows:
IDX10311: requireNonce is true (default) but validationContext.Nonce is null. A nonce cannot be validated. If you dont need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false
I used Microsoft.Owin.Security.OpenIdConnect 3.0.1 to test this issue. Per my understanding, you need to make sure your OpenIdConnect.nonce cookie has been successfully issued to your browser. For example, if your cookie issued to https://localhost:44353/, while the RedirectUri is set to http://localhost:4279, then I would encounter the similar issue:
Or you could try to explicitly set OpenIdConnectProtocolValidator.RequireNonce to false to disable check the nonce.
