Session change in between Request and Process user authorization

Asked 8/1, 2013 at 23:27 Answered 16/9, 2022 at 4:15

I am trying to implement a simple login page that redirects a user to an OAuth2.0 login server, and then back to a callback URL after they have successfully logged in.

However I keep on getting exception with error message:

Unexpected OAuth authorization response received with callback and client state that does not match an expected value.

From debugging I noticed that the session id from before calling "RequestUserAuthorization()" and after are different.

I read from some SO answers that I need to somehow prevent session changing, but not sure how to achieve that in this scenario.

Any help would be appreciated, thanks!

My distilled implementation is as follow:

private readonly WebServerClientCustomImpl _oauthClient = new WebServerClientCustomImpl();

public ActionResult Login()
        {    
            IAuthorizationState auth = null;

            auth = _oauthClient.ProcessUserAuthorization();

            if (auth == null)
            {
                _oauthClient.RequestUserAuthorization(returnTo: _redirectUrl);
            }
            else
            {
                // Save authentication information into cookie.
                HttpContext.Response.Cookies.Add(auth.CreateAuthCookie());

                return RedirectToAction("Index", "Home");
            }

            ViewBag.Message = "Future login page...";
            return View();
        }

Coarsen answered 8/1, 2013 at 23:27 Comment(2)

I would like to remind any other people who bumps into this problem, make sure when you are testing, do not mix localhost domain and your app URL domain... If you do that the callback from OAuth server will create a new Session. – Coarsen 9/1, 2013 at 21:2

what do you mean by do not mix localhost domain and your app URL domain?didn't get that part – Glimmer 21/10, 2013 at 13:43

If you have problem with SessionId changing it in most cases means that there is nothing in Session object for this user. Just add anything to session and SessionId should stay the same for the user:

Session["UserIsHere"] = true;

Floridafloridia answered 9/1, 2013 at 0:31 Comment(5)

Session state is an ASP.NET feature, not a view specific feature. So whether it's web forms or MVC doesn't matter. – Aphaeresis 9/1, 2013 at 4:54

@AndrewArnott can WebServerClient's RequestUserAuthorization method cause the Controller to start a new session? Using the method mentioned above my Session ID stays the same until RequestUserAuthorization is hit. The previous Session ID is passed to auth server, but when returned to web client after sign in, the client's Session ID changes. – Coarsen 9/1, 2013 at 8:29

I'm having the same issue... should I add the session variable on the client's side? But, is this something caused by DotNetOpenAuth or is it a normal behavior of ASP.NET (i.e: changing the SessionId value and consequently causing that error)? – Jim 19/6, 2013 at 5:51

@Jim - It is normal session state behavior (not related to auth). Empty session and corresponding ID (in cookie) is not persisted in any shape of form. – Floridafloridia 19/6, 2013 at 5:55

@AlexeiLevenkov: I see. I've just tried adding the session variable at the client's side. I'm managing the the whole authentication process inside an HttpModule in the AuthenticateRequest event. Apparently, the session state is not instantiated by ASP.NET until the PostAcquireRequestState event. So I'm guess that could be the root of my problem? But why does it work sometimes and sometimes it does not. I could not figure out a specific scenario where it fails... – Jim 19/6, 2013 at 5:59

I had the same message but different problem.

The url (origin and redirect) I did register in google oauth panel started with www.

Some users where going to the web without the www, and had the error message.

i.e.Google cpanel conf: http:// www.somesite.com, redirect to http:// www.somesite.com/oauth2

Some users going to http:// somesite.com.

Solution: Restrict users to use only the www version or redirect the naked domain to www, so the authentication request comes always from the registered domain in Oauth panel.

Hope it helps!

Vestal answered 13/1, 2014 at 18:14 Comment(0)

The reason is: In the google cloud platform, the

redirect_url = "localhost:8080/oauth2callback/"

while you input a url like 127.0.0.1:8080/authorize/ to start authority. there is a session with the domain of 127.0.0.1 without a session of localhost.

so, use localhost:8080/authorize/

Pirandello answered 16/9, 2022 at 4:15 Comment(0)

Recommended topics

Hot tags