Blazor Open ID Connect authentication error "The request included multiple client credentials"
Question
I have implemented Open ID Connect with Blazor using the following method:
Startup.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
this.Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.AddServerSideBlazor();
services.AddSignalR(e =>
{
e.MaximumReceiveMessageSize = 102400000;
});
services.AddBlazoredModal();
services.AddHttpClient();
services.AddScoped<AccessTokenStorage>();
services.AddAuthentication(opt =>
{
opt.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
opt.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie().AddOpenIdConnect("oidc", options =>
{
options.Authority = Credentials.Authority;
options.ClientId = Credentials.ClientId;
options.ClientSecret = Credentials.ClientSecret;
options.ResponseType = "code";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.UseTokenLifetime = false;
options.Scope.Add("openid");
options.Scope.Add("profile");
options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name" };
options.Events = new OpenIdConnectEvents
{
OnAccessDenied = context =>
{
context.HandleResponse();
context.Response.Redirect("/");
return Task.CompletedTask;
},
};
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseAuthentication();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapBlazorHub();
endpoints.MapFallbackToPage("/_Host");
});
}
}
Another vital part:
Login.cshtml.cs
public class LoginModel : PageModel
{
public async Task OnGet(string redirectUri)
{
await HttpContext.ChallengeAsync("oidc", new AuthenticationProperties {
RedirectUri = redirectUri });
}
}
It seems to work OK with demo.identityserver.io.
However, when changing it to my company identity provider, sometimes I retrieve the following error:
FBTOAU228E The request included multiple client credentials. OAuth 2.0 protocol requests can have one client credential only. For example, the request cannot have client credentials in both the BA header and the request body.
Is this a Blazor side issue or problem with the identity provider?
It happens seemingly at random, but it always happens when removing aspnetcore cookie in browser. Doing this should just get you back to the login screen, but throws this error instead. (Does not happen with demo.identiserver.io...)
1 answers
solution1
0 2021-11-11 12:47:22
Solved it. Seems this is problematic line:
options.GetClaimsFromUserInfoEndpoint = true;
I removed it/set it to false and it works like it should. I had to get the claims a little bit different.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.