Unhandled remote failure

[imperugo]

Hi,
I've an application that is using UseOpenIdConnectAuthentication with IdentityServer 4 and sometimes I get this weird error:

Connection id "0HL13A41L8P2I": An unhandled exception was thrown by the application.
System.AggregateException: Unhandled remote failure. ---> System.Exception: Correlation failed.
  --- End of inner exception stack trace ---
  at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRemoteCallbackAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<HandleRequestAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
  at Gaia.Bmw.Remarketing.Startup.<>c.<<Configure>b__11_0>d.MoveNext() in C:\Projects\bmw\bmw-remarketing\src\Gaia.Bmw.Remarketing\Startup.cs:line 128
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Server.IISIntegration.IISMiddleware.<Invoke>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Hosting.Internal.RequestServicesContainerMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
  at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.Frame`1.<RequestProcessingAsync>d__2.MoveNext()
---> (Inner Exception #0) System.Exception: Correlation failed.<---

Unfortunately I didn't find a way to replicated the problem, it just comes up into the log randomly.

Here my configuration

var oidcOptions = new OpenIdConnectOptions
{
    AuthenticationScheme = "oidc",
    ClaimsIssuer = urlBuilderConfiguration.Auth.Url,
    SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,
    Authority = idsrvConfiguration.IdentityServerEndpoint,
    RequireHttpsMetadata = false,
    PostLogoutRedirectUri = urlBuilder.Home,
    ClientId = idsrvConfiguration.Clients.Remarketing.Id,
    ClientSecret = idsrvConfiguration.Clients.Remarketing.Secret,
    ResponseType = "code id_token",
    GetClaimsFromUserInfoEndpoint = true,
    SaveTokens = false, // https://auth0.com/docs/quickstart/webapp/aspnet-core/04-storing-tokens
    Scope =
    {
        idsrvConfiguration.Scopes.Frontoffice,
        "openid",
        "profile",
        "email",
        "roles"
    },
    TokenValidationParameters = new TokenValidationParameters
    {
        IssuerSigningKey = new X509SecurityKey(encryptingCertificate)
    },
    Events = new OpenIdConnectEvents
    {
        OnRedirectToIdentityProvider = ctx =>
        {
            // APIs must return 401 not 302
            if (ctx.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
            {
                var isAjax = ctx.Request.Headers["X-Requested-With"] == "XMLHttpRequest";

                if (isAjax)
                {
                    ctx.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
                    ctx.HandleResponse();
                    return Task.FromResult(0);
                }
            }
            return Task.FromResult(0);
        }
    }
};

I'm running the app on Azure AppService with fw46.
Do you have any hint on how to fix/understand the problem?

[imperugo]

Moreover, sometimes I get also this (message.State is null or empty):

Connection id "0HL13A41L8P2P": An unhandled exception was thrown by the application.
System.AggregateException: Unhandled remote failure. ---> System.Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty.
  --- End of inner exception stack trace ---
  at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRemoteCallbackAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<HandleRequestAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
  at Gaia.Bmw.Remarketing.Startup.<>c.<<Configure>b__11_0>d.MoveNext() in C:\Projects\bmw\bmw-remarketing\src\Gaia.Bmw.Remarketing\Startup.cs:line 128
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Server.IISIntegration.IISMiddleware.<Invoke>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Hosting.Internal.RequestServicesContainerMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
  at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.Frame`1.<RequestProcessingAsync>d__2.MoveNext()
---> (Inner Exception #0) System.Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty.<---

[Tratcher]

The 'Correlation failed.' is from a missing cookie. This usually means that the login process took too long (more than 15min), or that the client's cookie store was too full and one got discarded.
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationOptions.cs#L57

The missing State is a little stranger. That implies the IDP (IdentityServer4) didn't return that parameter to you. There's also a remote possibility the parameter failed to decrypt for some reason.
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L467-L493

[leastprivilege]

We are always returning state correctly. Maybe a URL length issue?

hm - it seems to post. So that's probably not the problem.

[imperugo]

@leastprivilege I don't think it is related to the url length. When it happens I get a specific error into the log, in this case I've just this message.

I've added also the dataprotection to use a shared key for decryption but nothing changes.

[Tratcher]

It will be hard to tell without some fiddler traces and logs.

[imperugo]

I know.
Do you have any suggestion where to add some useful log?

[Tratcher]

How about in the MessageReceived event? That's just before the state exception.
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L473

[imperugo]

ok, what exactly should I check into the OnMessageReceived event (Skipped property?) and what should I log to provide more information (response body)?

Thanks

[Tratcher]

Request.Form
ProtocolMessage
Is the state there?

[imperugo]

ok, cool.
Just added this now

OnMessageReceived = ctx =>
{
    if (string.IsNullOrEmpty(ctx.ProtocolMessage.State))
    {
        StringBuilder sbForm = new StringBuilder();
        sbForm.Append("Form:");
        sbForm.AppendLine();
        sbForm.AppendLine();

        foreach (KeyValuePair<string, StringValues> formKey in ctx.Request.Form)
        {
            sbForm.AppendFormat("{0}: {1}", formKey.Key, formKey.Value);
        }

        StringBuilder sbProtocol = new StringBuilder();
        sbProtocol.Append("Protocol:");
        sbProtocol.AppendLine();
        sbProtocol.AppendLine();
        sbProtocol.AppendFormat("AccessToken: {0}", ctx.ProtocolMessage.AccessToken);
        sbProtocol.AppendFormat("Code: {0}", ctx.ProtocolMessage.Code);
        sbProtocol.AppendFormat("Display: {0}", ctx.ProtocolMessage.Display);
        sbProtocol.AppendFormat("AuthorizationEndpoint: {0}", ctx.ProtocolMessage.AuthorizationEndpoint);
        sbProtocol.AppendFormat("Error: {0}", ctx.ProtocolMessage.Error);
        sbProtocol.AppendFormat("ErrorDescription: {0}", ctx.ProtocolMessage.ErrorDescription);
        sbProtocol.AppendFormat("ErrorUri: {0}", ctx.ProtocolMessage.ErrorUri);

        logger.LogError("Message Received = {0}", sbForm.ToString());
        logger.LogError("Protocol Message = {0}", sbProtocol.ToString());
    }
    
    return Task.CompletedTask;
}

News when it happens again.
thx

[imperugo]

Ok, it seems is not possible to read the ctx.Request.Form, when I try, I get "Incorrect Content-Type".

here the complete stack

System.AggregateException: Unhandled remote failure. ---> System.InvalidOperationException: Incorrect Content-Type: 
  at Microsoft.AspNetCore.Http.Features.FormFeature.ReadForm()
  at Microsoft.AspNetCore.Http.Internal.DefaultHttpRequest.get_Form()
  at Gaia.Bmw.Remarketing.Startup.<Configure>b__13_2(MessageReceivedContext ctx) in C:\Projects\bmw\bmw-remarketing\src\Gaia.Bmw.Remarketing\Startup.cs:line 205
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.MessageReceived(MessageReceivedContext context)
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<RunMessageReceivedEventAsync>d__28.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<HandleRemoteAuthenticateAsync>d__20.MoveNext()
  --- End of inner exception stack trace ---
  at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRemoteCallbackAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<HandleRequestAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Owin.WebSocketAcceptAdapter.<>c__DisplayClass6_0.<<AdaptWebSockets>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
  at Gaia.Bmw.Core.Middlewares.HttpToHttpsMiddleware.<Invoke>d__2.MoveNext() in C:\Projects\bmw\bmw-remarketing\core\src\Gaia.Bmw.Core\Middlewares\HttpToHttpsMiddleware.cs:line 19
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Server.IISIntegration.IISMiddleware.<Invoke>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.AspNetCore.Hosting.Internal.RequestServicesContainerMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
  at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.Frame`1.<RequestProcessingAsync>d__2.MoveNext()
---> (Inner Exception #0) System.InvalidOperationException: Incorrect Content-Type: 
  at Microsoft.AspNetCore.Http.Features.FormFeature.ReadForm()
  at Microsoft.AspNetCore.Http.Internal.DefaultHttpRequest.get_Form()
  at Gaia.Bmw.Remarketing.Startup.<Configure>b__13_2(MessageReceivedContext ctx) in C:\Projects\bmw\bmw-remarketing\src\Gaia.Bmw.Remarketing\Startup.cs:line 205
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.MessageReceived(MessageReceivedContext context)
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<RunMessageReceivedEventAsync>d__28.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
  at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.<HandleRemoteAuthenticateAsync>d__20.MoveNext()<---

Any idea?

[imperugo]

Moreover, few milliseconds before, I got "System.Exception: Correlation failed."

[Tratcher]

That's interesting, you're getting a non-Form-Post request to your OIDC endpoint. How about logging all the request headers, path, and query.

[imperugo]

Back!
Adding logging now (i've updated also IDSRV to the latest version)

[imperugo]

Here we go.

Request

Path:

• /signin-oidc

Query:

• empty

Headers:

• Connection: Keep-Alive
• Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
• Accept-Encoding: gzip, deflate, br
• Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
• Cookie: _ga=GA1.2.90480637.1483525358; _gat=1
• Host: www.bmwucportal.it
• Max-Forwards: 10
• User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0
• Upgrade-Insecure-Requests: 1
• X-LiveUpgrade: 1
• X-Original-URL: /signin-oidc
• X-ARR-LOG-ID: 80d23f61-df29-4b80-ae1e-355546d2dda3
• DISGUISED-HOST: www.bmwucportal.it
• X-SITE-DEPLOYMENT-ID: bmwremarketing
• WAS-DEFAULT-HOSTNAME: bmwremarketing.azurewebsites.net
• X-Forwarded-For: 95.241.171.5:50564
• X-ARR-SSL: 2048|256|C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA|OU=Domain Control Validated, OU=COMODO SSL Wildcard, CN=*.bmwucportal.it
• MS-ASPNETCORE-TOKEN: dcae696c-f7ab-42b7-bc44-3060020689f1
• X-Original-For: 127.0.0.1:49218
• X-Original-Proto: http

##ProtocolMessage

• AccessToken:
• Code:
• Display:
• AuthorizationEndpoint:
• Error:
• ErrorDescription:
• ErrorUri:

Useful?

[Tratcher]

Yeah, that's not a login request. Some user is ending up at /signin-oidc without a body, content type, cookies, etc.. not much you can do about it but find them and ask why/how.

[Eilon]

Yeah this looks like it's just some random client making a call to your site, so it might just be an innocuous error. You might want to look at the calling IP address to see what/who it is.

[imperugo]

Really I found a way to replicate it.
Here the steps:

1. Go to the website on a protected page
2. You get redirect to the login page (IDSRV on another domain)
3. Wait till the cookies release on the website (step1) expires, or delete it
4. Login
5. and you get the redirect to the /signin-oidc (client application not IDSRV) getting the error.

Is it normal?
Is there a way to prevent it?

Thanks

[Eilon]

@imperugo thanks for the update. Can you perhaps send more info such as a network trace so that we can see the series of redirects, etc.? E.g. on Windows using Fiddler, or using your browser's dev tools?

@Tratcher does this make sense to you? Any idea how the client would end up there?

[AntonioComiGaia]

Hi @Eilon
this is the network trace using Fiddler (all sensible data cleaned)

1_Full.txt

[Eilon]

@Tratcher can you review the trace and see what's going on here?

[Tratcher]

These are two different issues. The one in your original post was a GET request to /signin-oidc, which there's still no explanation for why the client sent. The one from your manual repro is a POST to /signin-oidc which is intentionally missing cookies. This does not explain the first issue, but we can show you ways to mitigate it.

If you hook into the OnRemoteFailure event you can override the default 500 response with your own response or redirect.
https://github.com/aspnet/Security/blob/dev/samples/SocialSample/Startup.cs#L122-L126

[Eilon]

We are not able to find any issues in the middleware, so we are closing this issue.

[aejmelaeus]

We had this same exception and found out that it can be caused when a user presses the back button in FF. Chrome seems to work ok.