Invalid authentication configuration crashes ASP.NET core (stack overflow)

[tndata]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

An invalid/incomplete ASPNET Core authentication configuration causes the framework to crash and generate a stack overflow.

Expected Behavior

I would the application not to crash.

Steps To Reproduce

If I:

1. Create a new empty ASP.NET Core application, .NET 8
2. Add OpenIdConnect NuGet package (Microsoft.AspNetCore.Authentication.OpenIdConnect 8.0.1)
3. add this code

builder.Services.AddAuthentication()
.AddOpenIdConnect("oidc", o =>
{
    o.Authority = "https://example.com";

    o.ClientId = "localhost-client";
    o.ClientSecret = "mysecret";

    o.ResponseType = "code";
    o.Prompt = "consent";

});

4. I start the application
5. Then I get a stack overflow as shown below and the console output just outputs errors forever.

info: Microsoft.Hosting.Lifetime[14]
      Now listening on: https://localhost:7106
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://localhost:5080
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: c:\code\WebApplication1\WebApplication1
Stack overflow.
   at System.Threading.Tasks.Task.FromResult[[System.__Canon, System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]](System.__Canon)
   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1[[System.__Canon, System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].SetResult(System.__Canon)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandlerProvider+<GetHandlerAsync>d__5.MoveNext()
   at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.AspNetCore.Authentication.AuthenticationHandlerProvider+<GetHandlerAsync>d__5, Microsoft.AspNetCore.Authentication.Core, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60]](<GetHandlerAsync>d__5 ByRef)
...

Yes, the confiuration is not complete/valid.

Exceptions (if any)

Stack Overflow

.NET Version

dotnet --version 8.0.100

Anything else?

No response

[ltrzesniewski]

FWIW, I have the same issue, and I'd also like ASP.NET to give me an error message if possible.

I'm just trying to serve static files for authenticated users, and this seems much harder than it should be. Right now I'm kind of stuck because I don't know ASP.NET very well. 😕

[cadcad-sat]

I was able to reproduce this issue as well.

The reason for the occurrence of the loop is due to the setting of oidc in defaultAuthenticate.Name in the AuthenticationMiddleware when calling context.AuthenticateAsync(defaultAuthenticate.Name).

// AuthenticationMiddleware.cs
var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync(); 
if (defaultAuthenticate != null)
{
    var result = await context.AuthenticateAsync(defaultAuthenticate.Name);
}

The rationale behind Schemes.GetDefaultAuthenticateSchemeAsync returning OidcScheme is that in AuthenticationSchemeProvider.GetDefaultSchemeAsync, it used to return null in version 6.0.26, but in version 8.0.1, it now returns _autoDefaultScheme.

// AuthenticationSchemeProvider.cs
private Task<AuthenticationScheme?> GetDefaultSchemeAsync()
    => _options.DefaultScheme != null
    ? GetSchemeAsync(_options.DefaultScheme)
    : _autoDefaultScheme; // 6.0.26 Task.FromResult<AuthenticationScheme?>(null);

public virtual Task<AuthenticationScheme?> GetDefaultAuthenticateSchemeAsync()
    => _options.DefaultAuthenticateScheme != null
    ? GetSchemeAsync(_options.DefaultAuthenticateScheme)
    : GetDefaultSchemeAsync();

private void CheckAutoDefaultScheme()
{
    if (!_options.DisableAutoDefaultScheme)
    {
        if (_schemes.Count == 1)
        {
            _autoDefaultScheme = Task.FromResult<AuthenticationScheme?>(_schemesCopy.First());
        }
        else
        {
            _autoDefaultScheme = _nullScheme;
        }
    }
}

To resolve the issue, it is recommended to add CookieAuthentication. Please refer to the following code snippet:

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddCookie(setup => setup.ExpireTimeSpan = TimeSpan.FromMinutes(sessionCookieLifetime))
.AddOpenIdConnect(options =>
{
    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});

Reference: Authenticate with an OpenID Connect or OAuth 2.0 Identity Provider

[ltrzesniewski]

@cadcad-sat Thank you so much for your explanation, I managed to get the authentication to work thanks to your help! 😀

[rashadrivera]

I have the same problem, except I'm using the AddMicrosoftAccount instead of the AddOpenIdConnect method. I'm also using the .NET Core 7 library version.

[halter73]

I have the same problem, except I'm using the AddMicrosoftAccount instead of the AddOpenIdConnect method. I'm also using the .NET Core 7 library version.

Were you able to fix this by calling AddCookie?