This project has moved and is read-only. For the latest updates, please go here.


Authorization Code Flow not supported in OpenIDConnect


The Microsoft.Owin.Security.OpenIdConnect does not implement Authorization Code Flow.
See OpenidConnectAuthenticationHandler.cs:247 in v3.0.1
// code is only accepted with id_token, in this version, hence check for code is inside this if
// OpenIdConnect protocol allows a Code to be received without the id_token
if (string.IsNullOrWhiteSpace(openIdConnectMessage.IdToken))
    _logger.WriteWarning("The id_token is missing.");
    return null;
This is in violation with the OpenID Connect v1.0 specifications. So this should be implemented.
Closed Mar 2 at 10:39 PM by mgirgin


Tratcher wrote Dec 8, 2015 at 4:57 PM

FYI: Development of this component has moved to, where the code flow has already been implemented.

RobinIT wrote Dec 9, 2015 at 9:42 AM

Good to hear! (Codeplex is rather cumbersome imo) Any chance of a backport for these? Or does this mean our project will need to switch libraries or migrate to ASP.NET 5 when it's due?

Tratcher wrote Dec 9, 2015 at 3:26 PM

There are not currently any plans to backport feature work.