Migrating from 1.5.21 to 2.3.1 OIDC Issue

I’m trying to test out 2.3.1. I updated my docker file to pull down the new zip file for linux. Locally, I’m starting up everything the same as 1.5.21, but I can’t sign in for my localhost environment.
I’m using AzureAD Auth so I got OIDC stuff configured exactly the same as before. But at http://localhost:5000/auth/signin-oidc I get an error (HTTP ERROR 500) after signing into my Azure account. If I go through the sign in process with Dev tools open I can see the POST back to localhost:5000, form data has access_token and id_tokens and are valid along with the other form data.

Errors in the docker/PSU logs.

warn: Microsoft.AspNetCore.Http.ResponseCookies[1]

The cookie ‘.AspNetCore.OpenIdConnect.Nonce.CfDJ8KU45wc21…’ has set ‘SameSite=None’ and must also set ‘Secure’.

warn: Microsoft.AspNetCore.Http.ResponseCookies[1]

The cookie ‘.AspNetCore.Correlation.eh8mPFQ…’ has set ‘SameSite=None’ and must also set ‘Secure’.

warn: Microsoft.AspNetCore.Http.ResponseCookies[1]

The cookie ‘.AspNetCore.Correlation.eh8mPFQMMy6…’ has set ‘SameSite=None’ and must also set ‘Secure’.

warn: Microsoft.AspNetCore.Http.ResponseCookies[1]

The cookie ‘.AspNetCore.OpenIdConnect.Nonce.CfDJ8KU45wc21DJ…’ has set ‘SameSite=None’ and must also set ‘Secure’.

fail: Universal.Server.Services.DashboardManager[0]

Dashboard process is not running. Dashboard may have crashed or failed to start.

fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[17]

Exception occurred while processing message.

System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).

at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()

at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, ClaimsPrincipal principal, AuthenticationProperties properties)

at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

fail: Microsoft.AspNetCore.Server.Kestrel[13]

Connection id “0HMBUK7DNI30I”, Request id “0HMBUK7DNI30I:00000008”: An unhandled exception was thrown by the application.

System.Exception: An error was encountered while handling the remote login.

—> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).

at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()

at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, ClaimsPrincipal principal, AuthenticationProperties properties)

at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

— End of inner exception stack trace —

at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()

at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

Also see these errors in the logs.

For the OIDC error try disabling GetUserInfo. In appsettings.json, set it to false. It’s used for retrieving additional information about users as they login but seems to cause problems in some Azure AD environments. It’s not really necessary for Azure AD and was added to support Okta group claims.

    "OIDC": {
      "Enabled": "true",
      "CallbackPath": "/auth/signin-oidc",
      "ClientID": "6f006906-643a-40fe-af00-9060ceffffff",
      "ClientSecret": "xxxxxxxxxxxxxxxxxx",
      "Resource": "",
      "Authority": "https://login.microsoftonline.com/fffffff-4b76-4470-a736-8481d7a2ed87",
      "ResponseType": "code",
      "SaveTokens": "false",
      "GetUserInfo": false
    },

As for the dashboard error, verify that the correct environment is configured. For example, if you are expecting it to be running WinPS, try setting it to WinPS rather than the default environment.

Looks like that was it, thank you.
Now to figure out why my dashboards aren’t starting on the new version…

I’m in PSU now @adam , but I’m having some strange issues with running scripts and starting dashboards. It seems like it doesn’t like any Environments I have setup and only works with the Integrated environment.

I’m wondering if there might be some things I’m missing in my container that your official one builds adds. I kept my previous one pretty much the same, just updated to point to the new zip file.

image927×333 11.3 KB

image550×516 10.7 KB

If I attach to the container, execute that path /usr/bin/pwsh it opens powershell but if I execute a script with TOP open I never see it execute pwsh. Similar with the dashboards, they never start.

Error Log for script

image2513×114 14.9 KB

Error Log for Dashboard

image1629×626 49.3 KB

Piggy-backing on an existing thread here. Hope that’s OK.

I’m seeing this “SameSite” cookie warning in my logs too:

2021-11-21 21:15:55.456 +00:00 [WRN] The cookie '.AspNetCore.OpenIdConnect.Nonce.CfDJ8GSFh591eAlLtxxM7KFjbt-VnxU5j8AGXubInbcBGyrMp7O6gq6eX-lGl44OXcdsUIAMO9PbzIpSHGq_zPEj0E6wZSqxcdKfrfE7mWykRNukSOTLLDYtTBlHnZAlGnp9zhUaZGM4LMWrOBHSB7bU8fiLePqil_rZcTKNRz_u6HFcu7HprSyEOrY5w-BwXjI9_Ig0YuPKbdEKJF1JRTzcdlKmCtl4kE6r6oM3O9CNaaJ4q7-eGFyKNYGVB81oaLaVPrl7W9fr5V_Ny4NDV7vIQK4' has set 'SameSite=None' and must also set 'Secure'.
2021-11-21 21:15:55.466 +00:00 [WRN] The cookie '.AspNetCore.Correlation.3xjUgePzFohZ9LYKMXFyaU4EDuCNkM_t-JHWoeHyZ0A' has set 'SameSite=None' and must also set 'Secure'.

I’ve tried setting Authentication__OIDC__GetUserInfo to false in our environment variables and restarted, but it’s still there.

Doesn’t seem to be causing any issues, but I’d rather not pollute the logs with warnings if I can avoid it.

You can try setting the same site cookie setting with this option: “CorrelationCookieSameSite”: “”,

Authentication__OIDC__CorrelationCookieSameSite = ‘secure’

OK I’ve set that and restarted. I do see the same cookie warning in the log right after the restart. WIll give it a couple of minutes and see if it happens again. We were getting those two warnings every five minutes.

Edit: Nope, still getting that same pair of warnings in the log after setting that environment variable to “secure” and restarting. Is it case sensitve by any chance? Maybe has to be “Secure” like in the warning text?

Edit 2: Nope, even with a capital “S” it still logs warnings.