IdentityServer4 4.x: HTTP call never returns if .AspNetCore.Identity.Application fails security stamp fails validation

[bryantlikes]

I have a ASP.Net Core 3.1 application hosted on a Linux App Service in Azure. It is used for identity server purposes and is also using IdentityServer4. Recently I started getting reports of my server not responding and users getting a 504 Gateway Timeout error message. I was able to reproduce this myself with a cookie on my machine and using Postman I narrowed it down to the .AspNetCore.Identity.Application cookie.

This started happening after upgrading from 3.x to 4.x. I can reproduce it locally by authenticating with the external provider, then waiting 30 minutes (the default for the validation to trigger). The response will never return. I originally raised this issue with the aspnetcore team but found that if I took the AddIdentityServer out of my startup the issue went away.

The request comes in, the stamp fails to validate, and then after 4 minutes you end up with a 504 gateway timeout error.

2020-07-09T08:11:08.068854379Z: [INFO] [08:11:08 Debug] Microsoft.AspNetCore.Server.Kestrel
2020-07-09T08:11:08.068891280Z: [INFO] Connection id "0HM13RTOHHJUA" accepted.
2020-07-09T08:11:08.068898380Z: [INFO]
2020-07-09T08:11:08.073324117Z: [INFO] [08:11:08 Debug] Microsoft.AspNetCore.Server.Kestrel
2020-07-09T08:11:08.073337717Z: [INFO] Connection id "0HM13RTOHHJUA" started.
2020-07-09T08:11:08.073343217Z: [INFO]
2020-07-09T08:11:08.076403912Z: [INFO] [08:11:08 Information] Microsoft.AspNetCore.Hosting.Diagnostics
2020-07-09T08:11:08.076418612Z: [INFO] Request starting HTTP/1.1 GET http://identity.komchallenges.com/
2020-07-09T08:11:08.076431313Z: [INFO]
2020-07-09T08:11:08.077449144Z: [INFO] [08:11:08 Debug] Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware
2020-07-09T08:11:08.077462545Z: [INFO] The request path / does not match a supported file type
2020-07-09T08:11:08.077468045Z: [INFO]
2020-07-09T08:11:08.078311071Z: [INFO] [08:11:08 Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher
2020-07-09T08:11:08.078323171Z: [INFO] 1 candidate(s) found for the request path '/'
2020-07-09T08:11:08.078328071Z: [INFO]
2020-07-09T08:11:08.079276701Z: [INFO] [08:11:08 Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher
2020-07-09T08:11:08.080254631Z: [INFO] Endpoint 'KomChallenges.Web.Identity.Controllers.HomeController.Index (KomChallenges.Web.Identity)' with route pattern '{controller=Home}/{action=Index}/{id?}' is valid for the request path '/'
2020-07-09T08:11:08.080268631Z: [INFO]
2020-07-09T08:11:08.081051955Z: [INFO] [08:11:08 Debug] Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware
2020-07-09T08:11:08.081064656Z: [INFO] Request matched endpoint 'KomChallenges.Web.Identity.Controllers.HomeController.Index (KomChallenges.Web.Identity)'
2020-07-09T08:11:08.081069656Z: [INFO]
2020-07-09T08:11:08.182520789Z: [INFO] [08:11:08 Information] Microsoft.EntityFrameworkCore.Infrastructure
2020-07-09T08:11:08.182549690Z: [INFO] Entity Framework Core 3.1.5 initialized 'ApplicationDbContext' using provider 'Microsoft.EntityFrameworkCore.SqlServer' with options: None
2020-07-09T08:11:08.182564890Z: [INFO]
2020-07-09T08:11:08.240479179Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Query
2020-07-09T08:11:08.240500979Z: [INFO] queryContext => ShapedQueryCompilingExpressionVisitor.SingleOrDefaultAsync(
2020-07-09T08:11:08.240507280Z: [INFO] asyncEnumerable: new QueryingEnumerable(
2020-07-09T08:11:08.240511880Z: [INFO] (RelationalQueryContext)queryContext,
2020-07-09T08:11:08.241641215Z: [INFO] RelationalCommandCache,
2020-07-09T08:11:08.241653215Z: [INFO] null,
2020-07-09T08:11:08.241657915Z: [INFO] null,
2020-07-09T08:11:08.241661715Z: [INFO] Func<QueryContext, DbDataReader, ResultContext, int[], ResultCoordinator, AppUser>,
2020-07-09T08:11:08.241666015Z: [INFO] KomChallenges.Data.ApplicationDbContext,
2020-07-09T08:11:08.241669815Z: [INFO] DiagnosticsLogger
2020-07-09T08:11:08.241673716Z: [INFO] ),
2020-07-09T08:11:08.241677516Z: [INFO] cancellationToken: queryContext.CancellationToken)
2020-07-09T08:11:08.241681316Z: [INFO]
2020-07-09T08:11:08.259798075Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Database.Command
2020-07-09T08:11:08.259813176Z: [INFO] Creating DbCommand for 'ExecuteReader'.
2020-07-09T08:11:08.259818376Z: [INFO]
2020-07-09T08:11:08.261074915Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Database.Command
2020-07-09T08:11:08.261089615Z: [INFO] Created DbCommand for 'ExecuteReader' (1ms).
2020-07-09T08:11:08.261104216Z: [INFO]
2020-07-09T08:11:08.268088031Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Database.Connection
2020-07-09T08:11:08.268101932Z: [INFO] Opening connection to database 'xxxx' on server 'xxx.database.windows.net'.
2020-07-09T08:11:08.268107132Z: [INFO]
2020-07-09T08:11:08.271528838Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Database.Connection
2020-07-09T08:11:08.271542438Z: [INFO] Opened connection to database 'xxxx' on server xxx.database.windows.net'.
2020-07-09T08:11:08.271547538Z: [INFO]
2020-07-09T08:11:08.276841102Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Database.Command
2020-07-09T08:11:08.276855002Z: [INFO] Executing DbCommand [Parameters=[@__p_0='?' (Size = 450)], CommandType='Text', CommandTimeout='30']
2020-07-09T08:11:08.277435220Z: [INFO] SELECT TOP(1) [a].[Id], [a].[AccessFailedCount], [a].[AthleteId], [a].[BadgeTypeId], [a].[Cat], [a].[ConcurrencyStamp], [a].[DOB], [a].[Email], [a].[EmailConfirmed], [a].[LastActivityCheck], [a].[LastSeen], [a].[LastUpdateCheck], [a].[LockoutEnabled], [a].[LockoutEnd], [a].[NormalizedEmail], [a].[NormalizedUserName], [a].[PasswordHash], [a].[PhoneNumber], [a].[PhoneNumberConfirmed], [a].[SecurityStamp], [a].[TwoFactorEnabled], [a].[Updated], [a].[UserName]
2020-07-09T08:11:08.277447720Z: [INFO] FROM [AspNetUsers] AS [a]
2020-07-09T08:11:08.277452421Z: [INFO] WHERE [a].[Id] = @__p_0
2020-07-09T08:11:08.277456121Z: [INFO]
2020-07-09T08:11:08.327474765Z: [INFO] [08:11:08 Information] Microsoft.EntityFrameworkCore.Database.Command
2020-07-09T08:11:08.327494266Z: [INFO] Executed DbCommand (55ms) [Parameters=[@__p_0='?' (Size = 450)], CommandType='Text', CommandTimeout='30']
2020-07-09T08:11:08.328294191Z: [INFO] SELECT TOP(1) [a].[Id], [a].[AccessFailedCount], [a].[AthleteId], [a].[BadgeTypeId], [a].[Cat], [a].[ConcurrencyStamp], [a].[DOB], [a].[Email], [a].[EmailConfirmed], [a].[LastActivityCheck], [a].[LastSeen], [a].[LastUpdateCheck], [a].[LockoutEnabled], [a].[LockoutEnd], [a].[NormalizedEmail], [a].[NormalizedUserName], [a].[PasswordHash], [a].[PhoneNumber], [a].[PhoneNumberConfirmed], [a].[SecurityStamp], [a].[TwoFactorEnabled], [a].[Updated], [a].[UserName]
2020-07-09T08:11:08.328307591Z: [INFO] FROM [AspNetUsers] AS [a]
2020-07-09T08:11:08.328319991Z: [INFO] WHERE [a].[Id] = @__p_0
2020-07-09T08:11:08.328324392Z: [INFO]
2020-07-09T08:11:08.378646146Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.ChangeTracking
2020-07-09T08:11:08.378663146Z: [INFO] Context 'ApplicationDbContext' started tracking 'AppUser' entity. Consider using 'DbContextOptionsBuilder.EnableSensitiveDataLogging' to see key values.
2020-07-09T08:11:08.378668846Z: [INFO]

2020-07-09T08:11:08.423044217Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Database.Command
2020-07-09T08:11:08.423061017Z: [INFO] A data reader was disposed.
2020-07-09T08:11:08.423066917Z: [INFO]
2020-07-09T08:11:08.425950306Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Database.Connection
2020-07-09T08:11:08.425965407Z: [INFO] Closing connection to database 'xxx' on server 'xxxx.database.windows.net'.
2020-07-09T08:11:08.425978007Z: [INFO]
2020-07-09T08:11:08.428975200Z: [INFO] [08:11:08 Debug] Microsoft.EntityFrameworkCore.Database.Connection
2020-07-09T08:11:08.428989400Z: [INFO] Closed connection to database 'xxx' on server 'xxxx.database.windows.net'.
2020-07-09T08:11:08.428994800Z: [INFO]
2020-07-09T08:11:08.432250801Z: [INFO] [08:11:08 Debug] Microsoft.AspNetCore.Identity.SignInManager
2020-07-09T08:11:08.432264801Z: [INFO] Failed to validate a security stamp.
2020-07-09T08:11:08.432269901Z: [INFO]
2020-07-09T08:11:08.433764848Z: [INFO] [08:11:08 Debug] Microsoft.AspNetCore.Identity.SecurityStampValidator`1[[KomChallenges.Data.AppUser, KomChallenges.Data, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]]
2020-07-09T08:11:08.433778548Z: [INFO] Security stamp validation failed, rejecting cookie.
2020-07-09T08:11:08.433783948Z: [INFO]

2020-07-09T08:15:08.113292319Z: [INFO] [08:15:08 Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets
2020-07-09T08:15:08.113323820Z: [INFO] Connection id "0HM13RTOHHJUA" received FIN.
2020-07-09T08:15:08.113330320Z: [INFO]
2020-07-09T08:15:08.114397553Z: [INFO] [08:15:08 Debug] Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets
2020-07-09T08:15:08.114409953Z: [INFO] Connection id "0HM13RTOHHJUA" sending FIN because: "The client closed the connection."
2020-07-09T08:15:08.114415553Z: [INFO]
2020-07-09T08:15:08.116325512Z: [INFO] [08:15:08 Debug] Microsoft.AspNetCore.Server.Kestrel
2020-07-09T08:15:08.116338713Z: [INFO] Connection id "0HM13RTOHHJUA" disconnecting.

I'm testing to see if I can reproduce it with the quickstart.

[bryantlikes]

Running the identity quickstart, logging in, then waiting 30 minutes and hitting a proctected page gives me different output than my application.

[12:35:05 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
Identity.Application was not authenticated. Failure message: Unprotect ticket failed

[12:35:05 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
Identity.Application was not authenticated. Failure message: Unprotect ticket failed

[12:35:05 Information] Microsoft.AspNetCore.Authorization.DefaultAuthorizationService
Authorization failed.

[12:35:05 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.Application was challenged.

[bryantlikes]

Here is the callstack for that call that it seems to never come back from. I added my own override for ValidatePrincipalAsync so that I get the debugging information.

>	KomChallenges.Web.Identity.dll!KomChallenges.Web.Identity.Services.ConfigureCookieOptionsService.ValidatePrincipalAsync(Microsoft.AspNetCore.Authentication.Cookies.CookieValidatePrincipalContext context) Line 23	C#
 	Microsoft.AspNetCore.Authentication.Cookies.dll!Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationEvents.ValidatePrincipal(Microsoft.AspNetCore.Authentication.Cookies.CookieValidatePrincipalContext context)	Unknown
 	Microsoft.AspNetCore.Authentication.Cookies.dll!Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler.HandleAuthenticateAsync()	Unknown
 	Microsoft.AspNetCore.Authentication.dll!Microsoft.AspNetCore.Authentication.AuthenticationHandler<Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions>.AuthenticateAsync()	Unknown
 	Microsoft.AspNetCore.Authentication.Core.dll!Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(Microsoft.AspNetCore.Http.HttpContext context, string scheme)	Unknown
 	IdentityServer4.dll!IdentityServer4.Hosting.IdentityServerAuthenticationService.AuthenticateAsync(Microsoft.AspNetCore.Http.HttpContext context, string scheme)	Unknown
 	Microsoft.AspNetCore.Authentication.Abstractions.dll!Microsoft.AspNetCore.Authentication.AuthenticationHttpContextExtensions.AuthenticateAsync(Microsoft.AspNetCore.Http.HttpContext context, string scheme)	Unknown
 	Microsoft.AspNetCore.Authentication.dll!Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	Microsoft.AspNetCore.Cors.dll!Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context, Microsoft.AspNetCore.Cors.Infrastructure.ICorsPolicyProvider corsPolicyProvider)	Unknown
 	Microsoft.AspNetCore.Http.Abstractions.dll!Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.UseMiddleware.AnonymousMethod__2(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	IdentityServer4.dll!IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	Microsoft.AspNetCore.Routing.dll!Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.SetRoutingAndContinue(Microsoft.AspNetCore.Http.HttpContext httpContext)	Unknown
 	Microsoft.AspNetCore.Routing.dll!Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext httpContext)	Unknown
 	Microsoft.AspNetCore.Cors.dll!Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context, Microsoft.AspNetCore.Cors.Infrastructure.ICorsPolicyProvider corsPolicyProvider)	Unknown
 	Microsoft.AspNetCore.Http.Abstractions.dll!Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.UseMiddleware.AnonymousMethod__2(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	Microsoft.AspNetCore.StaticFiles.dll!Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	Microsoft.AspNetCore.CookiePolicy.dll!Microsoft.AspNetCore.CookiePolicy.CookiePolicyMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	Microsoft.AspNetCore.HttpsPolicy.dll!Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	Microsoft.AspNetCore.Diagnostics.dll!Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	Microsoft.AspNetCore.HostFiltering.dll!Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware.Invoke(Microsoft.AspNetCore.Http.HttpContext context)	Unknown
 	Microsoft.AspNetCore.Hosting.dll!Microsoft.AspNetCore.Hosting.HostingApplication.ProcessRequestAsync(Microsoft.AspNetCore.Hosting.HostingApplication.Context context)	Unknown
 	Microsoft.AspNetCore.Server.IIS.dll!Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT<Microsoft.AspNetCore.Hosting.HostingApplication.Context>.ProcessRequestAsync()	Unknown
 	Microsoft.AspNetCore.Server.IIS.dll!Microsoft.AspNetCore.Server.IIS.Core.IISHttpContext.HandleRequest()	Unknown
 	Microsoft.AspNetCore.Server.IIS.dll!Microsoft.AspNetCore.Server.IIS.Core.IISHttpContext.Execute()	Unknown
 	System.Private.CoreLib.dll!System.Threading.ThreadPoolWorkQueue.Dispatch()	Unknown

Here is my simple code that I used to enable me to break at this point.

public class ConfigureCookieOptionsService : IPostConfigureOptions<CookieAuthenticationOptions>
    {
        public void PostConfigure(string name, CookieAuthenticationOptions options)
        {
            options.Events = new CookieAuthenticationEvents
            {
                OnValidatePrincipal = ValidatePrincipalAsync
            };
        }

        public static async Task ValidatePrincipalAsync(CookieValidatePrincipalContext context)
        { 
            await SecurityStampValidator.ValidateAsync<ISecurityStampValidator>(context);
            Console.WriteLine("I made it!");
        }
    }

[ChainFans]

#4592 I hope it will help you

[bryantlikes]

I spent a bunch of time on this today and I think I may have figured out how I created this issue. On adding my external provider I was missing the code from the quickstart:

options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

So I may have been creating some kind of invalid identity token in my external controller, but I'm not sure. Still seems strange that the cookie could cause the server to not return a response. I've updated all my code to follow the v4 quickstart code more closely and I am testing it out now.

If that works then I may try to put some of my old (probably invalid code) into the quickstart to see if I can create a situation that can easily reproduce the issue.

[bryantlikes]

Ok, I was able to reproduce the issue with the quickstart by using my previous setup which worked with ID4 3.x. It ends up getting into a stack overflow:

DefaultUserSession.AuthenticateAsync

line 127: var result = await handler.AuthenticateAsync();

IdentityServerAuthenticationService.SignOutAsync

line 91: var logoutContext = await _session.GetLogoutNotificationContext();

IUserSessionExtensions.GetLogoutNotificationContext

line 23: var clientIds = await session.GetClientListAsync();

DefaultUserSession.GetClientListAsync()

line 286: await AuthenticateAsync();

The way I created this issue was with the IdentityServerAspNetIdentity quickstart.

1. Setup an external auth provider (I tested it using Strava).
2. Do not change the SignInScheme for the external provider

// options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

3. Update the ExternalController methods as follows:

        [HttpGet]
        public IActionResult Challenge(string scheme, string returnUrl)
        {
            var props = _signInManager.ConfigureExternalAuthenticationProperties(scheme, Url.Action(nameof(Callback), new { returnUrl }));

            return new ChallengeResult(scheme, props);

        }

        [HttpGet]
        public async Task<IActionResult> Callback(string returnUrl = null)
        {
            var info = await _signInManager.GetExternalLoginInfoAsync();
            var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, isPersistent: false, bypassTwoFactor: true);
            ApplicationUser user;
            if (result.Succeeded)
            {
                user = await _userManager.FindByLoginAsync(info.LoginProvider, info.ProviderKey);
            }
            else
            {
                user = await AutoProvisionUserAsync(info.LoginProvider, info.ProviderKey, info.Principal.Claims);
            }

            await _signInManager.SignInAsync(user, isPersistent: false);
            var isuser = new IdentityServerUser(user.Id)
            {
                DisplayName = user.UserName,
                IdentityProvider = info.LoginProvider
            };

            await HttpContext.SignInAsync(isuser);

            await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);

            var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
            await _events.RaiseAsync(new UserLoginSuccessEvent(info.LoginProvider, info.ProviderKey, user.Id, user.UserName, true, context?.Client?.ClientId));

            return Redirect(returnUrl);
        }

4. Optional - update the SecurityStampValidator interval to 1 minutes intead of 30.

    public class ConfigureSecurityStampValidatorOptionsService : IPostConfigureOptions<SecurityStampValidatorOptions>
    {
        public void PostConfigure(string name, SecurityStampValidatorOptions options)
        {
            options.ValidationInterval = TimeSpan.FromMinutes(1);
        }
    }
}

and somewhere in the ConfigureSerices in startup

services.AddSingleton<IPostConfigureOptions<SecurityStampValidatorOptions>, ConfigureSecurityStampValidatorOptionsService>();

Start the application, log in using the external provider, then wait the validation interval time (30 minutes if you skipped part 4, otherwise 1 minute), refresh the page. You should get a stack overflow if you're running with the local reference or you will get the gateway timeout after 4 minutes if you're using the nuget packages.

[alexnogdantas]

We are experiencing a similar problem. After a long time logged in, an interaction on the client redirects to the IdentityServer host and is waiting for a response forever. If we delete cookies and refresh the browser, the Identity Server respond normally. Could anyone help? Everything else works normally.

IDS4 (v 4.0.2) host setup:

IIdentityServerBuilder builder = services
    .AddIdentityServer(options =>
    {
        options.Events.RaiseErrorEvents = true;
        options.Events.RaiseInformationEvents = true;
        options.Events.RaiseFailureEvents = true;
        options.Events.RaiseSuccessEvents = true;
                    
        options.InputLengthRestrictions.Scope = 1000;
    })
    .AddAspNetIdentity<User>()
    .AddConfigurationStore(options =>
    {
        options.ConfigureDbContext = b => b.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
    })
    .AddOperationalStore(options =>
    {
        options.ConfigureDbContext = b => b.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));

        options.EnableTokenCleanup = true;
        options.TokenCleanupInterval = Convert.ToInt32(TimeSpan.FromDays(1).TotalSeconds);
    });

if (environment.IsDevelopment())
    builder.AddDeveloperSigningCredential();
else
    AddSigningWithCertificate(configuration, builder, securityOptions);

string authority = securityOptions.GetValue<string>("AuthorityUrl");
string apiName = securityOptions.GetValue<string>("ApiName");

services
    .AddAuthorization()
    .AddAuthentication()
    //http://docs.identityserver.io/en/latest/topics/add_apis.html
    .AddIdentityServerAuthentication("token", options =>
        {
            options.Authority = authority;
            options.ApiName = apiName;
        })
    .AddOpenIdConnect("oidc", "OpenID Connect", options =>
        {
            options.SignOutScheme = IdentityServerConstants.SignoutScheme;

            options.Authority = authority;
            options.ClientId = "implicit";
            options.SaveTokens = true;

            options.TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = JwtClaimTypes.Name,
                RoleClaimType = JwtClaimTypes.Role,
                RequireExpirationTime = true
            };
        });

Client setup:

services
    .AddAuthorization()
    .AddAuthentication(options =>
        {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = "oidc";
        })
    .AddCookie(options =>
    {
        options.AccessDeniedPath = "/Shared/Unauthorize";
    })
    .AddOpenIdConnect("oidc", options =>
    {
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
        options.ResponseMode = OidcConstants.ResponseModes.FormPost;

        options.Authority = securityOptions.AuthorityUrl;
        options.SignedOutRedirectUri = securityOptions.SignedOutRedirectUri;
        options.ClientId = securityOptions.ClientId;
        options.ClientSecret = securityOptions.ClientSecret;
        options.ResponseType = "code";
        options.UsePkce = true;

        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.RequireHttpsMetadata = true;

        securityOptions.Scopes.ForEach(it => options.Scope.Add(it));

        options.TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = JwtClaimTypes.Name,
            RoleClaimType = JwtClaimTypes.Role,
            RequireExpirationTime = true,
        };
    });

Debugging the source code of IDS4 we find the place where it stops responding:

[brockallen]

Confirmed. I'll put out a fix in our next patch.

[brockallen]

PR submitted.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.