Sometimes get a "idp claim is missing" with AspNetIdentity when authorizing

[liamdawson]

System.InvalidOperationException: idp claim is missing
   at IdentityServer4.Extensions.PrincipalExtensions.GetIdentityProvider(IIdentity identity) in IdentityServer4-1.0.0-rc1\src\IdentityServer4\Extensions\PrincipalExtensions.cs:line 184}   System.InvalidOperationException

IS4 entries in project.json:

"IdentityServer4": "1.0.0-rc1",
"IdentityServer4.AspNetIdentity": "1.0.0-rc1",
"IdentityServer4.AccessTokenValidation": "1.0.0-rc1" (resolving to 1.0.1-beta1)

I'm using ASP.Net Core Identity, and I've included the IdentityServer4 token validation library (I want to secure an api for user creation etc as part of the same service).

Here are the claims that are set on the current identity:

[0]: "sub: 3b26b2f3-ed9d-4ca0-9fd1-cb686484002d"
[1]: "name: liam@example.com"
[2]: "AspNet.Identity.SecurityStamp: eccf3972-e976-450d-a5a2-3be969616786"
[3]: "role: sysadmin"
[4]: "mp.sysadmin: true"
[5]: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname: Liam"
[6]: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname: Dawson"

Is this just a "we should allow returning null for the provider"? Or is there a further underlying issue/misconfiguration? In this instance, I'm only supporting one IDP, so I don't personally mind a bandaid fix.

[leastprivilege]

How do you sign in the user?

[liamdawson]

Via a login endpoint. In this instance, the idp claim issue arose after automatically being accepted as being logged in (via cookies).

[liamdawson]

Entirety of the login endpoint:

        [AllowAnonymous]
        [HttpPost]
        public async Task<IActionResult> Login(LoginViewModel model, string redirectUrl = null)
        {
            if (!ModelState.IsValid)
            {
                var errors = ModelState.Values.SelectMany(v => v.Errors).Select(e => e.ErrorMessage ?? e.Exception?.Message); 
                _logger.LogWarning("Login request was invalid. Errors: {errors}, Password provided for {username}: {password_provided}.",
                    errors,
                    model.Email,
                    !string.IsNullOrEmpty(model.Password));
                return StatusCode(StatusCodes.Status400BadRequest);
            }

            var result = await _signInManager.PasswordSignInAsync(model.Email,
                model.Password,
                model.RememberMe ?? false,
                true);

            if (result.Succeeded)
            {
                return Redirect(string.IsNullOrEmpty(redirectUrl) ? "/" : redirectUrl);
            }

            return StatusCode(StatusCodes.Status403Forbidden);
        }

(which wasn't called in this instance, because already logged in)

[leastprivilege]

I see - so it maybe happens when the gets "slided" ? @brockallen ?

[kdaveid]

I have made the same experiences. Usually this happens when (in dev) I restart the auth server (IdentityServer4) but not the MVC client and make a new request to an [Authorize]'d method within MVC app. The exact behavior I'll probably see today as I'll go further with implementing.

[brockallen]

Possibly. I did have a reminder for myself to look into this.

[ManuelRauber]

I can confirm this behavior using ASP.NET Core Identity, too.

SPA with Implicit using the popup mode. Code is the same as in your quickstarter examples.

[brockallen]

The cookie does not lose any claims when it slides, but it will lose claims if the security stamp is invalidated. Is this perhaps what you're running into?

If any of you having this issue can confirm that it's not the cookie sliding, but instead the security stamp validation I'd appreciate it. Thanks!

[brockallen]

BTW, the properties are not lost so what we'll have to do is either 1) store these crucial claims in the properties, and then reload the claims from the properties, or, the less desirable option, 2) in our AddAspNetIdentity we replace the security stamp validator with all of the exact same logic as the built-in one, but instead we reload from the current claims rather than from the DB.