OIDC metadata returns HTML error along with valid json output

Follow
    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:  [All Versions]

    Description:  

    OIDC metadata returns HTML error along with json output when request doesn't contain User-Agent header as shown below:

    curl https://idp.example.com/secureauthXX/.well-known/openid-configuration -H "User-Agent:"

    {"issuer":"https://idp.example.com/secureauthXX/","authorization_endpoint":"https://idp.example.com/secureauthXX/SecureAuth.aspx","token_endpoint":"https://idp.example.com/secureauthXX/OidcToken.aspx","userinfo_endpoint":"https://idp.example.com/secureauthXX/OidcUserInfo.aspx","end_session_endpoint":"https://idp.example.com/secureauthXX/OidcEndSession.aspx","jwks_uri":"https://idp.example.com/secureauthXX/.well-known/jwks","check_session_iframe":"https://idp.example.com/secureauthXX/OidcCheckSession.asp... token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","fragment","query"],"grant_types_supported":["authorization_code","client_credentials","password","refresh_token"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["HS256","RS256"],"claim_types_supported":["normal"],"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"]}

    <html> An error in the authentication has occurred. Please Try Again.<br> If the error persists, please contact your Administrator. </html>

     

    Cause:  

    Exception found by turning off the custom error:

    [NullReferenceException]: Object reference not set to an instance of an object.
    at Global_asax.DisallowsSameSiteNone(String userAgent)
    at Global_asax.Application_PreSendRequestHeaders(Object sender, EventArgs e)
    at System.Web.HttpApplication.SendResponseExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    The D:\SecureAuth\SecureAuthXX\Global.asax.vb file contained the below function to inspect UserAgent header and sending empty user-agent header in the request causes the above exception.

    Public Shared Function DisallowsSameSiteNone(ByVal userAgent As String) As Boolean
    If userAgent.Contains("CPU iPhone OS 12") OrElse userAgent.Contains("iPad; CPU OS 12") Then
    Return True
    End If
    If userAgent.Contains("Macintosh; Intel Mac OS X 10_14") AndAlso userAgent.Contains("Version/") AndAlso userAgent.Contains("Safari") Then
    Return True
    End If
    If userAgent.Contains("Chrome/5") OrElse userAgent.Contains("Chrome/6") Then
    Return True
    End If
    ''give ability to add blacklist from configuration
    If (Tools.ReadAppSettings("SameSiteUserAgentRegex").IsNotNullOrEmpty()) Then
    Dim regExRules as String() = Tools.ReadAppSettings("SameSiteUserAgentRegex").Split( New Char() {";"})
    Return regExRules.Any(Function(rule) Regex.IsMatch(userAgent, rule, RegexOptions.None))
    End If
    Return False
    End Function

    Resolution:  

    Remove the function from Global.asax.vb file or replace the file with the default Global.asax.vb file. 

     

    Special Considerations (optional as needed):  

    If there are syntactical errors after replacing the Global.asax.vb file, replace Global.asax with the default file as well.

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.