This repository was archived by the owner on Mar 6, 2025. It is now read-only.
This repository was archived by the owner on Mar 6, 2025. It is now read-only.
invalid_grant after sign in #1670
Closed
Description
- I read and understood how to enable logging
Issue / Steps to reproduce the problem
I have a .Net core 2 IdSvr and MVC portal running fine locally. I'm trying to deploy them both to docker containers behind an nginx proxy though, and while I can authenticate a locally running MVC portal against the deployed IdSvr, I cannot authenticate from the deployed MVC portal.
Full details of the logs can be found on this StackOverflow question if that helps but I assume I'm missing some config either in the IdSvr project or the MVC client.
https://stackoverflow.com/questions/46884549/identityserver4-sub-claim-is-missing
Any help would be much appreciated as were trying to make IdSvr our federated identity gateway for all our systems and this is the first stage.
Relevant parts of the log file
[11:22:51 INF] Request starting HTTP/1.1 POST http://testportal.cmacgroup.co.uk/signin-oidc application/x-www-form-urlencoded 1559
[11:22:51 ERR] Message contains error: 'invalid_grant', error_description: 'error_description is null', error_uri: 'error_uri is null', status code '400'.
[11:22:51 ERR] Exception occurred while processing message.
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant'], error_description: 'error_description is null', error_uri: 'error_uri is null'.
Activity
leastprivilege commentedon Oct 31, 2017
any update?
dankennedy commentedon Oct 31, 2017
Some progress, in that I've got the IdSvr4 web app running in a container, and if I run the client locally I can authenticate against IdSvr4 without a problem. If I use the client as deployed in a container however, after a successful authentication I just get the nginx 502 page and no error logged. If I refresh the page and therefore resubmit the form however I get the following error:
[13:30:07 ERR] HTTP POST /signin-oidc responded 500 Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant' , error_description: 'error_description is null', error_uri: 'error_uri is null'. at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.d__12.MoveNext()--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter
1.GetResult() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.<Invoke>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Cmac.Portal.Web.Middleware.SerilogMiddleware.<Invoke>d__4.MoveNext() in /app/Cmac.Portal.Web/Middleware/SerilogMi ddleware.cs:line 37I assume it's therefore something to do with either the nginx config or how I've deployed the client container but I can't seem to get any more info on the initial failure.
I'm spending some more time looking at it today and will update.
dankennedy commentedon Oct 31, 2017
So I finally got to the bottom of it. It seems the default header limits in nginx don't play nice and I found this in the logs
upstream sent too big header while reading response header from upstreamUpdating the nginx config to include the lines
prevented the 502 error and it all authenticates fine now.
lock commentedon Jan 14, 2020
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.