Nonce errors with AzureAD SSO ASP.NET

We recently converted an application to use AzureAD for single sign on and discovered in our logs that we were seeing a number of Nonce related errors such as the one below.

We haven’t fully fleshed out this issue, but we were able to reproduce it with the following steps:

1) Browse to the site

2) Get redirected to the AzureAD SSO login page.

3) Wait 1 hour

4) Attempt to complete the login

Here is an article I found that discusses the same issue (with a slightly different error) along with some code for catching the exception and changing the nonce timeout.

https://teknovenus.com/nonce-expriation-idx10316-workaround-asp-net-mvc/

The error we are getting:

Session state is not available in this context.

Error method: Void ValidateNonce(System.IdentityModel.Tokens.JwtSecurityToken, Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidationContext)

IDX10311: RequireNonce is ‘true’ (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’.

Stack: at Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidator.ValidateNonce(JwtSecurityToken jwt, OpenIdConnectProtocolValidationContext validationContext)

at Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidator.Validate(JwtSecurityToken jwt, OpenIdConnectProtocolValidationContext validationContext)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s