Unhandled exception when user is not assigned to the client application

[liiri]

I got an error because User is not assigned to the client application, which is legitimate. However, the error is thrown and unhandled. Moreover, I don't seem to be able to handle it on my own.

Full exception and stack:

System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'access_denied', error_description: 'User is not assigned to the client application.', error_uri: 'error_uri is null'.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

I think if I could register to OpenIdConnectEvents.OnAuthenticationFailed that might help, but am not sure its sufficient.

I'd expect Okta to fail the login in the first place, and not redirect back to my app.

What is the expected scenario here and how can I handle this case?

[laura-rodriguez]

Hi @liiri ,

We apologize for the inconvenience.

Would you mind answering a few questions? This info will help us to understand your use case better 😄 .

• Are you using Okta.AspNet or AspNetCore? What version? MVC or Web Forms?
• Can you please share your Startup configuration? (Please don't share your secrets ;))
• Are you using one of our public samples?
  • https://github.com/okta/samples-aspnet
  • https://github.com/okta/samples-aspnetcore
  • https://github.com/okta/samples-aspnet-webforms
• Are you using a developer account?

Thanks!

[liiri]

Using Okta. AspNetCore 3.1.1, MVC

var oktaMvcOptions = new OktaMvcOptions
                {
                    OktaDomain = configuration.GetValueWithEnv("App:Okta:Domain", string.Empty),
                    ClientId = configuration.GetValueWithEnv("App:Okta:ClientId", string.Empty),
                    ClientSecret = configuration.GetValueWithEnv("App:Okta:ClientSecret", string.Empty),
                    Scope = new List<string> {"openid", "profile", "email", "groups"}
                };
// ...
services.AddAuthentication(...).AddCookie(...).AddOktaMvc(_oktaMvcOptions);
// ...
[AllowAnonymous]
[Route("signin")]
[HttpPost]
public async Task<IActionResult> SignInAsync([FromQuery] string returnUrl)
{
    return Challenge(
            new AuthenticationProperties
            {
                RedirectUri = returnUrl.OrIfEmpty("/")
            },
            OktaDefaults.MvcAuthenticationScheme
        );
}

[AllowAnonymous]
[Route("signout")]
[HttpPost]
public async Task<IActionResult> SignOutAsync()
{
    await HttpContext.SignOutAsync();
    return SignOut(
            OpenIdConnectDefaults.AuthenticationScheme,
            CookieAuthenticationDefaults.AuthenticationScheme
        );
}

You can also reproduce the 500 error also by adding random strings to the Scope list of OktaMvcOptions.
i.e Scope = new List<string> {"openid", "profile", "email", "groups", "foo"}

I'm not using any of the public examples, I'm using a production account.

[laura-rodriguez]

Thanks for the info @liiri !

So, if I understand correctly, you have some Okta users trying to sign in to your application, but since they were not assigned to the corresponding Okta application, you have an unhandled exception. You would like to be able to configure error handling when using this SDK, am I correct?

[liiri]

That's correct. I fixed the problem by assigning the users to the app, but I would like to be able to handle future cases of misconfiguration.

[laura-rodriguez]

Thanks for your feedback ❤️ ! We will discuss this feature with the team and prioritize accordingly.

[misterflippy]

I also have this issue. I'm using ASP.NET MVC. No samples, production account as well.

Everything works fine if the user is assigned to the app, but not all users should be assigned to the app, so we need to be able to handle this case.

[laura-rodriguez]

Hi @misterflippy ,

Thank you for reporting this issue.

It's expected that users are assigned to an application before signing in. In order to understand your use case better, can you give me more details of why do you need not assigned users to be able to login to your application?

[misterflippy]

I'm working with a large organization that has a single sign-on system in place. Not all users are assigned to the application that I'm working on, but they are still able to log in via Okta, and would be assigned to other applications. We don't need the users to be able to log in to this application per se, but we do need to be able to handle this case, if nothing else to display an "unauthorized" error page.

I am currently catching this exception in Global.asax.cs/Application_Error, and I think this will work for us, but it's not clear how we're expected to handle this case. The Okta server sends the error response back to the RedirectUri, but you apparently can't catch the exception at that point, which is confusing. The underlying OpenId library has an OnAuthenticationFailed event which appears to be the expected way to handle errors, but the events aren't exposed in this library.

[laura-rodriguez]

Thanks for providing more details. This is definitely something we want to take a look at.
We have this task in our backlog already and planning to work on this soon.

[laura-rodriguez]

Fixed in #128.

[bryanapellanes-okta]

@liiri @misterflippy,

Good news, the latest release includes the ability to handle exceptions using your custom code:

• For AspNet see aspnet4x-mvc.md#handling-failures
• For AspNetCore see aspnetcore-mvc.md#handling-failures