SolvedIdentityServer4 Correlation failed at signin-oidc redirect

I keep receiving the following error after the Consent screen where I am going to the client “signin-oidc” url (please refer to images in attached doc for reference):

Unhandled remote failure (Correlation failed)

This was not an issue on my development build (VS2015 /w IISExpress) and only started after I had published the application.

From what I could find on Google, I can see that the issue is cause due to missing cookies. Would be helpful if I could get a better understanding and also some tips on how to debug it.

I have attached the debug log from the client, and from Fiddler, for reference.

logs.docx

Some background on my current setup –

  • IdentityServer with ASP.Net Core Identity Integration and EntityFramework persistence layer (combined from your ASP Identity and EntityFramework Quickstarts)
  • MVC Client (created using the MVCHyrbid Quickstart)

Both applications are deployed on separate domains:

  • IdentityServer is on a Windows Server 2012 R2 machine behind IIS 8.5
  • Client is on Windows Server 2008 R2 behind IIS 7.5

Appreciate the help!

36 Answers

✔️Accepted Answer

@aduggleby: I suspect that some of your users are arrive at the log in screen, become distracted, and then come back and try to log in more than 15 minute later. By then the cookie used for correlation has expired and they get this error. If you set RemoteAuthenticationTimeout in the OIDC middleware to something like 10 seconds:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
    RemoteAuthenticationTimeout = TimeSpan.FromSeconds(10),
    ...
}

...then users would only have 10 seconds to log in. If you increase this to several hours it will probably greatly reduce the frequency of the error. A better solution would be to redirect the user to some other page if someone leaves the log in screen for more than a few minutes so they cannot use a "stale" log in screen. The timeout is there for security purposes.

Other Answers:

I've found a hook on the middleware to handle this error. On the authenticating client application where the openid connect middleware is configured, I've put:

options.Events.OnRemoteFailure = RemoteAuthFail;

private Task RemoteAuthFail(RemoteFailureContext context) { context.Response.Redirect("/Home/AuthError"); context.HandleResponse(); return Task.CompletedTask; }

I've put a friendly message on that page prompting them to not bookmark the login (as well as on the login screen).

Well, the way we solved it is by catching the exception using the ExceptionHandler Middleware of ASP.NET Core and checked if the Request path was /sign-in-oidc (Redirect URI). If it was then redirect to any page that requires authentication (home page in our case, i.e. /). If it was not then handle the exception just like any other exception.
@coffeymatt @ChrisPritchard

@coffeymatt @srikrsna Combining your suggestions works perfectly.
OnRemoteFailure event I check for the /signin-oidc path, if so, I simply redirect to a secured endpoint on the client then the client redirects to identity server, this time with valid request params but since the user is already logged on identity server they are simply redirected back to the client without the need to re-enter their credentials.

I was having this issue with recorded selenium tests and that solution solved it.

For me this issue was using the default Cookie Policy:

public void Configure...
{
    // This will override cookie settings for OpenIdConnect
    // Nonce and Correlation Cookies included.
    app.UseCookiePolicy(); 
}

More Issues: