Custom state not set for OpenIdConnectProtocolValidator

[DevJasperNL]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

We are currently in the process of hardening our OIDC implementation. As part of this, we want to add an antiforgery token to the state and validate it when getting the response from the IDP.

However, when using context.ProtocolMessage.State, enabling state validation on OpenIdConnectProtocolValidator causes an exception.

Expected Behavior

After enabling RequireState and RequireStateValidation, any state set in context.ProtocolMessage.State should be validated automatically.

Steps To Reproduce

When configuring OpenIdConnect, I am enabling both RequireState and RequireStateValidation:

options.ProtocolValidator.RequireState = true;
options.ProtocolValidator.RequireStateValidation = true;

Then in OnRedirectToIdentityProvider, I am configuring a custom state:

options.Events.OnRedirectToIdentityProvider = (RedirectContext context) =>
{
    context.ProtocolMessage.State = "AntiForgery token will go here";
    return Task.CompletedTask;
};

This will result in the following exception:
OpenIdConnectProtocolInvalidStateException: IDX21329: RequireState is 'System.Boolean' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.

After further investiation, I see that inside the OpenIdConnectProtocolValidator, OpenIdConnectProtocolValidationContext.State remains null.

When looking into where this is created, it seems that State is never set on this context:

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

Line 684 in 9efaf0e

Options.ProtocolValidator.ValidateAuthenticationResponse(new OpenIdConnectProtocolValidationContext()

Exceptions (if any)

OpenIdConnectProtocolInvalidStateException: IDX21329: RequireState is 'System.Boolean' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.

.NET Version

7.0.403

Anything else?

When looking into where this is created, it seems that State is never set on this context:

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

Line 684 in 9efaf0e

Options.ProtocolValidator.ValidateAuthenticationResponse(new OpenIdConnectProtocolValidationContext()

[DevJasperNL]

After some experimenting with this, it seems there are two issues:

1. State validation on OpenIdConnectProtocolValidator does not work at all. Even if the original state is not altered, setting both RequireState and RequireStateValidation to true will never work due to the state not being set on the context.

HOWEVER: If the incorrect state is passed, it does result in exceptions. So at least some checks are done on it. Looking in OpenIdConnectHandler, I do see a ValidateCorrelationId method being called, but I am unsure if this actually validates the state itself:

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

Line 612 in c8ef35d

if (!ValidateCorrelationId(properties))

2. Setting context.ProtocolMessage.State in OnRedirectToIdentityProvider handler does not change the state being sent to the IDP. It does however change the state in OpenIdConnectProtocolValidationContext.ProtocolMessage.State (but OpenIdConnectProtocolValidationContext.State remains null)

[Rora]

I also need to know how to leverage the state, is there any update or expected timeline on this?

[RickvF]

I am facing the same issue. Can anyone please give an update on this?

[DevJasperNL]

I have closed and reopened this issue as suggested by the bot above, yet the "pending-ci-rerun" label is not removed.

Leaving this comment to inform that I have rechecked, and the issue is still there.