OpenIdConnect: invalid nonce doesn't prevent user from signing in

This post was originaly posted on Thinktecture.IdentityServer3 bug tracker. https://github.com/IdentityServer/IdentityServer3/issues/1346 Guys said it's microsoft issue. Seems like even if nonce...

Id #408 | Release: None | Updated: Mon at 12:45 PM by balbelias | Created: Fri at 2:23 PM by balbelias

Upgrade invalidated tokens

In Nuget Manager, I recently upgraded all Owin packages: Microsoft.Owin : 3.0.0.0 to 3.0.0.1 Microsoft.Owin.Security 3.0.0.0 to 3.0.1.0 Microsoft.Owin.Secu...

Id #407 | Release: None | Updated: May 14 at 6:45 PM by cjrogala | Created: May 14 at 6:45 PM by cjrogala

Running OwinHost as daemon on Linux under mono exits prematurely

OwinHost starts up and then waits for enter to be pressed. On Linux/mono, when running as a daemon, a call to ReadLine() returns EOF immediately, causing OwinHost to exit prematurely. There shoul...

Id #405 | Release: None | Updated: Apr 16 at 5:22 PM by swish014 | Created: Apr 16 at 5:19 PM by swish014

Inspect "X-Forwarded-Proto" when creating redirect URI

OpenIdConnectAuthenticationHandler.CurrentUri merely takes the URI of the OWIN request and disregards the value of the "X-Forwarded-Proto" header. Thus if the application is behind a load balancer ...

Id #404 | Release: None | Updated: Apr 14 at 5:28 PM by omidkrad | Created: Apr 14 at 5:43 AM by rasmusnu

JwtBearerAuthenticationOptions with TokenValidationParameters doesn't work as expected

Hi ! I have a OWIN Web API (IIS hosted) secured with OAuth2 JWT tokens. The authentication options are configured like this : var options = new JwtBearerAuthenticationOptions { ...

Id #403 | Release: None | Updated: Mar 11 at 7:32 PM by ultraman69 | Created: Mar 11 at 6:57 PM by ultraman69

OpenIdConnect nonce cookies - no overflow handling

In v3.0.1, the following issue was fixed: OpenIdConnect nonces need a unique cookie name For each authentication request, a unique nonce cookie is now created. Even though these are Session ba...

Id #402 | Release: None | Updated: Mar 9 at 2:28 PM by yuyuki | Created: Mar 5 at 10:31 AM by loctanvo

Override Http Status Code for OAuth Error

Per rfc6749 you should be able to specify the http status code in an OAuth error situation. There appears to be no way to accomplish this as you are hard coding the response at https://katanaproje...

Id #401 | Release: None | Updated: Mar 2 at 6:55 PM by MotoWilliams | Created: Mar 2 at 6:55 PM by MotoWilliams

Incorrect functionality of OwinRequest.Cookies

The cookie values as returned by OwinRequest.Cookies are urldecoded, this is not correct. The HTTP specifications do not state that values in the HTTP Cookie header are to be transmitted urlencoded...

Id #399 | Release: None | Updated: May 18 at 4:43 AM by rdrawsky | Created: Feb 23 at 3:22 PM by wdb

OpenIdConnectAuthenticationHandler doesn't log the actual exception information

This is related to my discussion in here. When an exception occurs in the OpenIdConnectAuthenticationHandler it is written to (trace) logs using the line: _logger.WriteError("Exception occurred wh...

Id #398 | Release: None | Updated: Feb 16 at 8:50 AM by htuomola | Created: Feb 16 at 8:50 AM by htuomola

EnterpriseLibrary conflict

Little puzzling this one as I cant see any reference to enterpriselibrary.common within the owin dependencies so apologies if I have this incorrect. I have another object within my application th...

Id #397 | Release: None | Updated: Feb 16 at 8:57 AM by ajVersed | Created: Feb 13 at 3:27 PM by ajVersed