This project has moved. For the latest updates, please go here.

Why would Owin.OpenIdConnect throw OpenIdConnectProtocolException: OICE_20004: A 'nonce' was not found

Apr 15, 2014 at 9:49 PM
Edited Apr 15, 2014 at 9:50 PM
Hi

I am using Microsoft.Owin.Security.OpenIdConnect 0.29.1-pre and it worked fine connecting the Azure AD the first time, but when I try to connect now using the same ad account it keeps throwing OICE_20004: A 'nonce' was not found. The jwt token contained this nonce:

Now the nonce it shows is different depending on the browser used.

I have configured the OpenIdConnect to use the client Id and login url for the Azure AD and Application configured.

I have deleted the browser cookie and cache and tried again.

I followed the instructions in http://blogs.msdn.com/b/webdev/archive/2014/03/28/owin-security-components-in-asp-net-openid-connect.aspx and http://www.cloudidentity.com/blog/2014/02/20/ws-federation-in-microsoft-owin-componentsa-quick-start/

Now could it be the Authority I have used as it was not really clear which app endpoint to use from the list.

Regards

Richard....
Developer
Apr 30, 2014 at 5:55 PM
Nonce not found means that the runtime couldn't find the cookie nonce that was created when the OpenIdConnect request was sent.

Were you prompted for new credentials?
Can you share the jwt that was returned?
Was the nonce different OR missing?
Developer
May 6, 2014 at 6:29 PM
I have seen this happen when a post is replayed. The OIDC handler deletes the cookie that contains the nonce when an id_token arrives.

You can detect such situations and take action by hooking the notification: OpenIdConnectAuthenticationNotifications.AuthenticationFailedNotification.
AuthenticationFailedNotification.Exception will equal OpenIdConnectProtocolException with message starting with: OICE_2004.

AuthenticationFailedNotification.SkipToNextMiddleware()will result in Wilson NOT throwing and a 401 will result.
Marked as answer by Tratcher on 5/21/2014 at 2:12 PM