Open Closed

OpenIdConnect First login for new user #3207


0
[email protected] created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v5.2.1
  • UI type: Blazor
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • ERR_HTTP2_PROTOCOL_ERROR / Bad Request - Request Too Long
  • Steps to reproduce the issue:"
    1. Create a new abp user using IdentityUserManager.CreateAsync() method
    2. login as external login using Azure OpenIDConnect
    3. If Microsoft already logined, it will show the Bad Request - Request Too Long Error.
    4. If not and follow the Microsoft login steps, it will show ERR_HTTP2_PROTOCOL_ERROR Error.
    5. For every new created user, it show up the same problem. I need to clear the cookies and login again.

If login success, the cookies will be like that.

If the problem show up, cookies will be

If you want keep producing the issue, you can delete the record in AbpUserLogins table and login again.

It only occur when running on IIS. If using dotnet run in localhost, no such issue occur.


8 Answer(s)
  • 0
    gterdem created
    Support Team

    All the cookies are generated for localhost for each session. When you are authenticated to 3rd party, you are already authenticated to Identity.External too.

    You can try to increasing max request size on IIS like:

    <system.web>
            <httpRuntime maxRequestLength="2097151" executionTimeout="2097151" />
    </system.web>
    
  • 0
    [email protected] created

    Already increased the request size. Still not work.

  • 0
    gterdem created
    Support Team

    Did you deploy your application? Or you are getting this error on the localhost dev/sta environment?

  • 0
    [email protected] created

    deployed

  • 0
    gterdem created
    Support Team

    The development environment may have similar problems since tiered applications use the same localhost for domain and shared cookies that cause errors. Because when you stop running your application without logging out, session cookies on localhost are not cleared and sometimes needs to be manually removed. It is not something we can fix because:

    • .Net applications set .AspNetCore cookies
    • IdentityServer sets shared idsrv.session cookie
    • Microsoft Identity sets identity.Application cookie
    • Microsoft Identity sets identity.External cookie when logged in to 3rd party

    However, deployment is a whole different scenario. You may be using sub domains sharing session cookies may be causing this. If the solution I mentioned at this answer and you mention this problem only occurs on IIS, I suggest asking on also StackOverflow since this can be directly related to IIS. It can be version related or some different configuration which is out of my scope unfortunately.

  • 0
    [email protected] created

    In the OnGetExternalLoginCallbackAsync function (login.html.cs), I found that calling signin two times there if the the signin result is not success but without signout. May I know the reason?

    var result = await SignInManager.ExternalLoginSignInAsync(
                loginInfo.LoginProvider,
                loginInfo.ProviderKey,
                isPersistent: true,
                bypassTwoFactor: true
            );
    
            if (!result.Succeeded)
            {
                await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
                {
                    Identity = IdentitySecurityLogIdentityConsts.IdentityExternal,
                    Action = "Login" + result
                });
            }
    

    After added login info or created external user, it call signin method again.

    var externalUser = await UserManager.FindByEmailAsync(email);
            if (externalUser == null)
            {
                externalUser = await CreateExternalUserAsync(loginInfo);
            }
            else
            {
                if (await UserManager.FindByLoginAsync(loginInfo.LoginProvider, loginInfo.ProviderKey) == null)
                {
                    CheckIdentityErrors(await UserManager.AddLoginAsync(externalUser, loginInfo));
                }
            }
    
            if (await HasRequiredIdentitySettings())
            {
                Logger.LogWarning($"New external user is created but confirmation is required!");
    
                await StoreConfirmUser(externalUser);
                return RedirectToPage("./ConfirmUser", new {
                    returnUrl = ReturnUrl,
                    returnUrlHash = ReturnUrlHash
                });
            }
    
            await SignInManager.SignInAsync(externalUser, false);
    

    For the First login, I found that the result from ExternalLoginSignInAsync is not success. Can I add the signout there? Will it cause any problems?

    if (!result.Succeeded)
            {
                await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
                {
                    Identity = IdentitySecurityLogIdentityConsts.IdentityExternal,
                    Action = "Login" + result
                });
                await SignInManager.SignOutAsync();
            }
    
  • 0
    gterdem created
    Support Team

    You are signed in to different authentication schemes so it is called multiple times. It is Microsoft Identity and you can modify as you like if you know what you are doing.

    For the First login, I found that the result from ExternalLoginSignInAsync is not success. Can I add the signout there? Will it cause any problems?

    If a problem occurs on based on web-server (IIS), I would suggest digging into that instead of changing the source code.

  • 0
    FrancoisLabelle created

    Hello,

    I had a similar issue when I have activated the Microsoft login and tested it locally on my workstation using IIS express.

    My solution was to add this configuration in the web.config file of the IdentityServer project.

    &lt;system.webServer&gt;
    	&lt;security&gt;
    		&lt;requestFiltering&gt;
    			&lt;!--This is needed with IISEXPRESS to allow the callback from Microsoft OAuth/OIDC authentication with a large query string. (OIDC Specs says max 2047...) --&gt;
    			&lt;requestLimits maxQueryString=&quot;4096&quot; /&gt;
    		&lt;/requestFiltering&gt;
    	&lt;/security&gt;
    &lt;/system.webServer&gt;