I am getting "code challenge required" when using IdentityServer4

identityserver4 asp.net-core oauth openid-connect asp.net-core-3.0

Solution 1:

I am pretty much sure that you are using version 4.0 or above. Let me know if I am correct?

In version 4.0 and above, the code flow + PKCE is used by default, as this is more secure than Hybrid flow according to the documentation.

Here is the link https://identityserver4.readthedocs.io/en/latest/topics/grant_types.html and link to relevant issue on github https://github.com/IdentityServer/IdentityServer4/issues/3728 describing it as a breaking change.

I also struggled with it for about 2 hours when I upgraded IdentityServer4 package to the latest version in one of my projects.

If you want to use Hybrid flow set RequirePkce to false in your client configuration.

"Clients": {
   /* Code removed for brevity */
      RequirePkce : "false"
    }

Solution 2:

Got that error today and solved it by switching from:

options.ResponseType = "code id_token";

to

options.ResponseType = "code";
options.UsePkce = true;

Here's my complete client-side options:

options.Authority = "http://localhost:8000";
options.RequireHttpsMetadata = false; // dev only

options.ClientId = "testAPI";
options.ClientSecret = secret;

// code flow + PKCE (PKCE is turned on by default)
options.ResponseType = "code";
options.UsePkce = true;

options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("offline_access");
options.Scope.Add("testAPI");

options.ClaimActions.MapJsonKey("website", "website");

//options.ResponseMode = "form_post";
//options.CallbackPath = "/signin-oidc";

// keeps id_token smaller
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;

Also, as I'm using IdentityServer on a docker and testing the client on the host, I had to configure an extra redirect Uri to be able to test:

RedirectUris =
{
    "http://localhost:5001/signin-oidc",
    "http://host.docker.internal:5001/signin-oidc",
    "http://notused"
},

I'm basing my implementation on Dominic Baier's samples on GitHub.

Edit: I've come to understand now that for my case the response type could only be "code" because my client configuration is for Authorization Code + PKCE (an OAuth2 flow). You have "Hybrid" configured (an OIDC flow) that supports "code id_token" so although we has received the same error message, the problem was different.

Related

How to use generator function in typescript
SQL Query Dynamically Create Multiple LIKE/OR Clause
Accessing asp.net tablerow child control by type
ffmpeg gives error DTS out of order and Non-monotonous DTS in output stream
How to share laptop //localhost with cell phone users using router
Why did bluetooth audio start working when the motherboard antenna was attached?
Copy my ssh key to remote machine via ssh-copy-id in a script without prompt?
Powershell - batch delete files CONTAINING some string?
I want to share a single binary file directly via an Url and I cannot believe how difficult it is
Does Tailscale log the IPs of devices which are connected on your account?
USB Windows 10 “inaccessible booting device” error
Excel data representation: show me all people who did not pass the exam