Multiple IdentityServer Federation : Error Unable to unprotect the message.State

by

I believe you are getting the Unable to unprotect the message.State error because one of your OIDC providers is trying to decrypt/unprotect the message state of the other one. (The message state is just a random string to help with security.)

I suggest that you name the AuthenticationSchemes for each OIDC provider like oidc-demo and oidc-master. Then the external providers should send you back to the corresponding signin-oidc-demo and signin-oidc-master endpoints.

Turns out this answer was basically, correct. When using multiple OIDC providers you need different AuthenticationSchemes AND CallbackPath values:

.AddOpenIdConnect("oidc-google", options =>
  {
    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.SignOutScheme = IdentityServerConstants.SignoutScheme;
    options.CallbackPath = "/signin-oidc-google";
    ...
  }
.AddOpenIdConnect("oidc-microsoft", options =>
  {
    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.SignOutScheme = IdentityServerConstants.SignoutScheme;
    options.CallbackPath = "/signin-oidc-microsoft";
    ...
  }

Note that the authentication middleware will magically handle any CallbackPath that’s configured, so it doesn’t need to be handled explicitly.

If you don’t differentiate OIDC providers and use separate callback paths, they may try to sign in with the same scheme and the cryptography won’t match and only the first OIDC provider registered in your code will work.

More Related Contents:

  1. Google OAuth 2 authorization – Error: redirect_uri_mismatch
  2. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  3. What is the purpose of a “Refresh Token”?
  4. What are the main differences between JWT and OAuth authentication?
  5. What is the Authorized Javascript Origin for a webapp powered by Google Script?
  6. Set cookies for cross origin requests
  7. What’s the difference between OpenID and OAuth?
  8. Single Sign On across multiple domains [closed]
  9. How can I extend ServiceStack Authentication
  10. Socket.IO Authentication
  11. Forgot Password: what is the best method of implementing a forgot password function?
  12. How to use UrlFetchApp with credentials? Google Scripts
  13. how to implement login auth in node.js
  14. What if JWT is stolen?
  15. Kafka SASL zookeeper authentication
  16. How to get a JWT?
  17. CSRF Token necessary when using Stateless(= Sessionless) Authentication?
  18. What’s a redirect URI? how does it apply to iOS app for OAuth2.0?
  19. IIS7: Setup Integrated Windows Authentication like in IIS6
  20. OWIN – Authentication.SignOut() doesn’t seem to remove the cookie
  21. How to use Windows Active Directory Authentication and Identity Based Claims?
  22. In Subversion can I be a user other than my login name?
  23. Microservice Authentication strategy
  24. Single sign-on flow using JWT for cross domain authentication
  25. Where can I find a list of OpenID Provider URLs? [closed]
  26. Customize Authentication – Login Symfony2 Messages
  27. How to authenticate user with Azure Active Directory using OAuth 2.0?
  28. Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app
  29. Web API 2, OWIN Authentication, SignOut doesn’t logout
  30. How can I use persisted cookies from a file using phantomjs

Leave a Comment