I am using OpenIdConnect for authentication against Azure in DXC and it works fine. However, if I try to link directly to an asset (image, document, etc.. ) before authenticating I get the following error
IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.
If I authenticate first and then hit the link it works fine. I can't reproduce it using my local machine running IISExpress.
Can anyone else using OpenIdConnect validate that they are having the same issue.
Can you first clarify us that the asset url is not the edit url, so something like this: [YOUR-HOST-HERE]/EPiServer/CMS/Content/globalassets/en/alloy-meet/alloymeet.png,,61_62?epieditmode=False BUT url is like this: /globalassets/alloy-meet/alloymeet.png when trying to acces an asset not logged in.
If the url is not edit but the "real public url", do you get the RequireNonce even if trying to access an asset with another browser in private mode (just to rule out possible cookies from bad / aborted logins using OIDC)?
This is an old posting issue with IdentityServer3 https://github.com/IdentityServer/IdentityServer3/issues/542 (from year 2015) but there is the same issue and if scroll to the point where Kentor.OwinCookieSaver is mentioned it had fixed eventually the issue for the reporter of the issue.
We are still using the Kentor.OwinCookieSaver in our OIDC implementations, so you would need to add the package https://www.nuget.org/packages/Kentor.OwinCookieSaver/ to your solution and add this to your OWIN startup Configuration method before any OWIN stuff:
Kentor.OwinCookieSaver GitHub project: https://github.com/Sustainsys/owin-cookie-saver
Thanks for the reply Antti.
I am using the "real public url" and I have been testing with the browser in private mode. I have tried the OwinCookieSaver in the past and no luck. I see that the cookie is not being set that I am authenticated but I am not sure why.
I'm assuming the assets are "protected" and don't have read access for Everyone?
Correct. If I use the address that EPiServer gives me http://xxx.dxcloud.episerver.net it seems to work fine. However, if I use our custom domain name it does not work.
I think that hostname is without Cloudflare CDN so it probably has something to do with that. You can try hosts file to the IP of the dxccloud name and validate that it is a CDN issue and not something with your app configuration.
We are using DXC. My understanding is the Host entry would not affect us.