Support automatic redirect on remote failures

[JeanCollas]

From time to time when people try to log in using Facebook, I get this error, what does it mean exactly? How to handle it?

Unhandled remote failure. (Correlation failed.) 
Microsoft.AspNetCore.Authentication 
Correlation failed. 

-------- 
-------- 
-------- Exception -------- 
System.AggregateException: Unhandled remote failure. (Correlation failed.) ---> System.Exception: Correlation failed. 
--- End of inner exception stack trace --- 
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler'1.d__5.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler'1.d__4.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware'1.d__18.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.ApplicationInsights.AspNetCore.ExceptionTrackingMiddleware.d__4.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.d__4.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 

[Tratcher]

There's a correlation cookie issued with each challenge to limit XRSF issues. Under some conditions this cookie gets lost before the authentication is complete. If it does the best thing that you can do is restart the auth flow. You can handle this error by hooking the RemoteFailure event.

Security/samples/SocialSample/Startup.cs

Lines 122 to 127 in 75a4d00

	OnRemoteFailure = ctx =>
	{
	ctx.Response.Redirect("/error?FailureMessage=" + UrlEncoder.Default.Encode(ctx.Failure.Message));
	ctx.HandleResponse();
	return Task.FromResult(0);
	}

[JeanCollas]

Thanks @Tratcher, as it happens quite regularly (more than 10% of registrations), I feel like I must address the issue.
Restarting the auth flow from there does not risk to get into an infinite loop?

[nhwilly]

It seem this - or something related - is happening to me. FB seemed to be working fine. Now it's not.

`Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware:Error: An unhandled exception has occurred while executing the request

System.AggregateException: Unhandled remote failure. (Message contains error: 'server_error', error_description: 'AADB2C: An exception has occured.
Correlation ID: 6f040040-088a-451b-8eff-73f9578316b6
Timestamp: 2017-03-27 20:35:08Z
', error_uri: 'error_uri is null'.) ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'server_error', error_description: 'AADB2C: An exception has occured.
Correlation ID: 6f040040-088a-451b-8eff-73f9578316b6
Timestamp: 2017-03-27 20:35:08Z
', error_uri: 'error_uri is null'.
   --- End of inner exception stack trace ---`

Works great for a Microsoft Account. I'm using Azure B2C, btw.

Tried pretty much everything. Any ideas?

[Tratcher]

It does risk an infinite loop, so it should include an error page that says "Something went wrong trying to log you in, click here to try again."

[nhwilly]

I just tried running this is the policy section of the B2C portal.

Got this:

AggregateException: Unhandled remote failure. (OpenIdConnectAuthenticationHandler: message.State is null or empty.)

Does that help any?

[JeanCollas]

Thanks @Tratcher for the confirmation, I will try to handle it in the OnRemoteFailure as suggested.

The Facebook login is a bit tricky when not everything goes well, for example if I:

• try to log-in via Facebook,
• accept everything on Facebook,
• arrive on the confirmation where a password is required to create the account
• go back to the login page (so do not create the account)
• try again to log-in via Facebook
  I get redirected to AccessDenied with return url on ExternalLoginCallback. I don't understand why as (I think) it should just be redirected to ExternalLoginCallback.

[martincostello]

I've just had an instance of this error pop-up in my server logs, and there's this SO Q/A which mentions it being something to do with clock-sync.

[Tratcher]

@JeanCollas If you've logged in with the external provider but not completed the local login then you still have the External cookie. If you then restart the auth flow the facebook auth provider will see that you're already signed in and trigger AccessDenied to avoid an infinite login loop. If you want to restart the login process you need to clear the state from the prior attempt, including the external cookie. See https://github.com/aspnet/Templates/blob/c91664a01f6b429b9ff3ac17cacd906037f11b19/src/Rules/StarterWeb/IndividualAuth/Controllers/AccountController.cs#L51

[Tratcher]

@nhwilly are you still having Facebook B2C issues? There was an outage on Monday due to a Facebook API change, but that should have been resolved later that day.

[Eilon]

We should consider the following:

1. Add an error redirect URL to the Remote Auth middleware
2. Update the project templates to use this feature and redirect to a page w/ some explanation about how to resolve the issue (because it is generally ultimately a problem on the site visitor's machine, not a server issue)

cc @DamianEdwards for item (2).

[NikasZalias]

I am getting this error:

System.AggregateException: Unhandled remote failure. (Code was not found.) ---> System.Exception: Code was not found.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRemoteCallbackAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.<Invoke>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Server.IISIntegration.IISMiddleware.<Invoke>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Hosting.Internal.RequestServicesContainerMiddleware.<Invoke>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.Frame`1.<RequestProcessingAsync>d__2.MoveNext()
---> (Inner Exception #0) System.Exception: Code was not found.<---

Does anyone know how to fix this?? This problem occurs when I try to log in to application with facebook account and in permissions I press cancel.

[martincostello]

@NikasZalias The middleware doesn't seem to nicely handle permission being denied by the end user, so you end up with an error page. I've worked around this by wrapping the OAuthEvents and adding a custom handler for OnRemoteFailure, which then does a custom redirect if the user denied permissions.

For example:

/// <summary>
/// Returns whether the specified failure context indicates the user denied account linking permission.
/// </summary>
/// <param name="context">The current failure context.</param>
/// <returns>
/// <see langword="true"/> if account linking permission was denied; otherwise <see langword="false"/>.
/// </returns>
private static bool WasPermissionDenied(FailureContext context)
{
    return
        string.Equals(context.Request.Query["error"].FirstOrDefault(), "access_denied", StringComparison.Ordinal) ||
        string.Equals(context.Request.Query["error_reason"].FirstOrDefault(), "user_denied", StringComparison.Ordinal) ||
        context.Request.Query.ContainsKey("denied");
}

There might be more conditions that indicate this, but these three all handled this happening in the social login providers I use.

[NikasZalias]

@martincostello how to call this method in controller? because when I go to ExternalLogin action which looks like this:

[HttpGet]
[AllowAnonymous]
public IActionResult ExternalLogin(string provider, string returnUrl = null)
{
          var redirectUrl = Url.Action("ExternalLoginCallback", "Account", new {ReturnUrl = returnUrl});
          var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
           return new ChallengeResult(provider, properties);
 }

It redirects me to facebook permission page, and after I click cancel I get the error I wrote before and I don't know how to handle this callback..

[martincostello]

@NikasZalias You need to hook up a handler for RemoteFailure to the Events property of an instance of FacebookOptions when registering Facebook for use, so you'll need to use one of the overloads of UseFacebookAuthentication() that takes an instance of FacebookOptions as a parameter.