set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

[prasannagrchandran]

Hi Guys,

I have implemented configurations...In my localhost SSO working fine... i am able to get the data
but when i host it in the server i am getting below mentioned error

IDX21323: RequireNonce is 'System.Boolean'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

FYI:

• I have changed redirect uri and post logout uri from localhost to server domain
• Application built on Asp.Net MVC 4.7.2

Please help me to get rid of this error

[bryanapellanes-okta]

@prasannagrchandran,
Thanks for reaching out! Can you provide minimal sample code and steps to reproduce the error? Also, without exposing sensitive data like secrets or api keys, please share your configuration to help us troubleshoot further.

[prasannagrchandran]

This is my startup.cs

using System.Collections.Generic;
using System.Configuration;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Okta.AspNet;
using Owin;

[assembly: OwinStartup(typeof(PepEvents.Startup))]

namespace PepEvents
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOktaMvc(new OktaMvcOptions()
        {
            OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
            ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
            ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
            AuthorizationServerId = ConfigurationManager.AppSettings["okta:AuthorizationServerId"],
            RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
            PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
            GetClaimsFromUserInfoEndpoint = true,
            Scope = new List<string> { "openid", "profile", "email" },
        });
    }
}

}

[prasannagrchandran]

Web.config

	<add key="okta:ClientId" value="ID" />
	<add key="okta:ClientSecret" value="ID" />
	<add key="okta:OktaDomain" value="domain" />
	<add key="okta:AuthorizationServerId" value="default" />

	<!-- 2. Update the Okta application with these values -->

	<!--<add key="okta:RedirectUri" value="https://localhost:44345/" />
	<add key="okta:PostLogoutRedirectUri" value="https://localhost:44345/userAuth/Exit" />-->

	<add key="okta:RedirectUri" value="URL" />
	<add key="okta:PostLogoutRedirectUri" value="URL" />


</appSettings>
<system.web>
	<customErrors mode="Off" />
	<compilation debug="true" targetFramework="4.7.2" />
	<httpRuntime targetFramework="4.7.2" />
	<sessionState cookieSameSite="None" />
	<httpCookies requireSSL="true" />
</system.web>
<connectionStrings>
	
	<add name="csr_eventsDb" connectionString="#{MY-CONNECTIONSTRING}#" />
</connectionStrings>
<runtime>
	<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
		<dependentAssembly>
			<assemblyIdentity name="Antlr3.Runtime" publicKeyToken="eb42632606e9261f" />
			<bindingRedirect oldVersion="0.0.0.0-3.5.0.2" newVersion="3.5.0.2" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" />
			<bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="System.Web.Optimization" publicKeyToken="31bf3856ad364e35" />
			<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="1.1.0.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35" />
			<bindingRedirect oldVersion="0.0.0.0-1.6.5135.21930" newVersion="1.6.5135.21930" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
			<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
			<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
			<bindingRedirect oldVersion="1.0.0.0-5.2.7.0" newVersion="5.2.7.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="Microsoft.Owin.Security" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			<bindingRedirect oldVersion="0.0.0.0-4.1.1.0" newVersion="4.1.1.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			<bindingRedirect oldVersion="0.0.0.0-4.1.1.0" newVersion="4.1.1.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			<bindingRedirect oldVersion="0.0.0.0-6.7.1.0" newVersion="6.7.1.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="Microsoft.IdentityModel.Protocols.OpenIdConnect" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			<bindingRedirect oldVersion="0.0.0.0-5.3.0.0" newVersion="5.3.0.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="Microsoft.IdentityModel.Tokens" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			<bindingRedirect oldVersion="0.0.0.0-6.7.1.0" newVersion="6.7.1.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="Microsoft.IdentityModel.Protocols" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			<bindingRedirect oldVersion="0.0.0.0-5.3.0.0" newVersion="5.3.0.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="Microsoft.Owin.Security.Cookies" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			<bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0" />
		</dependentAssembly>
		<dependentAssembly>
			<assemblyIdentity name="Microsoft.IdentityModel.Logging" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			<bindingRedirect oldVersion="0.0.0.0-6.7.1.0" newVersion="6.7.1.0" />
		</dependentAssembly>
	</assemblyBinding>
</runtime>
<system.codedom>
	<compilers>
		<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701" />
		<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+" />
	</compilers>
</system.codedom>

[prasannagrchandran]

From the error i think we need to set nonce to false but i dont know how to set

[gfody]

I ran into this as well. merging this rejected pr and setting the cookie manager to new SystemWebCookieManager() got things working. setting the cookie manager earlier as suggested in this comment did not work for me.

[bryanapellanes-okta]

I ran into this as well. merging this rejected pr and setting the cookie manager to new SystemWebCookieManager() got things working. setting the cookie manager earlier as suggested in this comment did not work for me.

It's good to know there's a fix. I've opened an internal issue for tracking and prioritization. OKTA-790251