I believe you are getting the Unable to unprotect the message.State
error because one of your OIDC providers is trying to decrypt/unprotect the message state of the other one. (The message state is just a random string to help with security.)
I suggest that you name the AuthenticationSchemes for each OIDC provider like oidc-demo
and oidc-master
. Then the external providers should send you back to the corresponding signin-oidc-demo
and signin-oidc-master
endpoints.
—
Turns out this answer was basically, correct. When using multiple OIDC providers you need different AuthenticationSchemes AND CallbackPath
values:
.AddOpenIdConnect("oidc-google", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.CallbackPath = "/signin-oidc-google";
...
}
.AddOpenIdConnect("oidc-microsoft", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.CallbackPath = "/signin-oidc-microsoft";
...
}
Note that the authentication middleware will magically handle any CallbackPath
that’s configured, so it doesn’t need to be handled explicitly.
If you don’t differentiate OIDC providers and use separate callback paths, they may try to sign in with the same scheme and the cryptography won’t match and only the first OIDC provider registered in your code will work.