How to use primary domain for Openid authentication in Identity Server 4?

0
votes
  1. xyz.com
  2. yzx.com
  3. zxy.com

I have these domains and running identity server 4 application with AuthO Openid connections. My primary domain is xyz.com, so if user login by using another domain like yzx.com, it will redirect to my primary domain call back path only after AuthO successful login. Because I have registered call back path of my primary domain only in the all the running domains.

See the example below:

var primaryBrandOpenIdRedirectURL = SharedResourceConstants.HyperText + primaryBrandHostUrl + pathBase.GetPathBase(HttpContext) + sso.RedirectPath;

var openIdOptions = new OpenIdConnectOptions
                {
                    ClientId = rijndaelEncryption.Decrypt(sso.ClientId),
                    ClientSecret = rijndaelEncryption.Decrypt(sso.ClientSecret),
                    Authority = sso.Authority,
                    SignInScheme = 
                     IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme,
                    ForwardSignOut = sso.ForwardSignOut,

                    // Call back path should be unique.
                    CallbackPath = new PathString(sso.RedirectPath),
                };

if (!organization.IsDefaultBrand)
{
    openIdOptions.Events = new OpenIdConnectEvents()
                    {
                        OnRedirectToIdentityProvider = ctx =>
                        {
                            ctx.ProtocolMessage.RedirectUri = primaryBrandOpenIdRedirectURL;
                            return Task.FromResult(0);
                        }
                    };
}

This working fine in two different localhost ports but in staging facing below issue.

System.Exception: An error was encountered while handling the remote login.

System.Exception: Correlation failed.

at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.d__12.MoveNext() at offset 1286
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at offset 17
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(System.Threading.Tasks.Task task) at offset 39
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(System.Threading.Tasks.Task task) at offset 46
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.d__6.MoveNext() at offset 437
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at offset 17
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(System.Threading.Tasks.Task task) at offset 39
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.d__6.MoveNext() at offset 953
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at offset 17
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(System.Threading.Tasks.Task task) at offset 39
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(System.Threading.Tasks.Task task) at offset 46 ```

1
c#asp.net-coreidentityserver4openid-connectidentityserver3
do you use HTTPS locally? what about staging?nahidf
yes I am using localhost:44339 only aslo staging like example.comvijay

1 Answers

0
votes

The problem Correlation failed is a common error when the OpenIDConnect authentication middleware receives a callback from the IdentityServer that it did not expect.

The client that made the initial authentication request must also be the one that the browser is redirected back to after the user logs in and gives consent. (ie the same domain must be used)

I guess each client domain need to be registered in the valid redirect URL's like

RedirectUris = new List() { "https://xyz1.com/signin-oidc", "https://xyz2.com/signin-oidc", "https://xyz3.com/signin-oidc" };

You should also examine and make sure so that the ReturnUrl sent to IdentityServer is the true domain of the client, so that the browser can find its way back to it when it is done with the consent part.

https://localhost:6001/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dauthcodeflowclient_dev%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A5001%252Fsignin-oidc%26response_type%3Dcode%26prompt%3Dconsent%26scope%3Dopenid%2520profile%2520email%2520offline_...