IssuerAddress not being set in OpenidConnectHandler.HandleChallengeAsyncInternal

Question

IssuerAddress not being set in OpenidConnectHandler.HandleChallengeAsyncInternal

roddharris opened this issue 22 days ago · 3 comments

Is there an existing issue for this?

I have searched the existing issues

Describe the bug

I'm using the AddOpenidConnect extension method to configure OpendidConnect to work with our Keycloak IDP. Whenever the Challenge is requested, I receive an error: "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid." (Line 485 of the HandleChallengeAsyncInternal).

It appears that this is supposed to be set when the configuration manager reads the OIDC configuration from the .well-known endpoint of my IDP. (Line 402) It seems as though the manager is unable to read the IDP configuration or is unable to pull out the authorization_endpoint property of my IDP configuration.

Expected Behavior

When the Challenge is required, the OpenidConnectHandler should redirect the browser to the authorization_endpoint that is defined in the well-known endpoint of the IDP configured using the AddOpenidConnect extension method.

Steps To Reproduce

Here is the configuration in program.cs

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.Authority = "https://my-keycloak-idp.com/auth/realms/myrealm";
        options.ClientId = "my-app-client-id";  //public client, no secret
        options.CallbackPath = "/auth";
        options.RequireHttpsMetadata = true;
        options.MetadataAddress = "https://my-keycloak-idp.com/auth/realms/myrealm/.well-known/openid-configuration";
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.UsePkce = true;
        options.ResponseType = OpenIdConnectResponseType.Code;
    });

Here is the configuration returned by the metadata endpoint.

Exceptions (if any)

Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.

.NET Version

8.0.100

Anything else?

This is an Asp.NET Core 8.0 MVC application.
I'm running in VS 2022

Answer 1 · 2024-05-17T17:59:29.000Z

Sorry, I forgot to add that my Keycloak client is set for Standard Flow, Implicit Flow and Direct Access Grants. I also have my Web Origins configured as well as my Valid Redirect URIs.