The Nonce Cannot Be Validated - Troubleshooting 'Sign In Failed' Errors in Power Pages

2023-10-06

All articles from this blog can ONLY be redistributed on an Attribution-NonCommercial-NoDerivs basis. Please credit the source, thank you.
Twitter:@kelvinshen
Blog:Kelvin Shen's Blog

Introduction

This post investigates a perplexing scenario seen in Power Pages sites using Azure AD B2C, where a user reported she was having issues to sign in to the site in the 1st attempt but the immediate 2nd attempt was successful. We can reproduce the issue reliablely.

Symptom

The user has authenticated with AAD B2C successfully because we can see the URL swithcing from the AAD B2C login page to the Power Pages site. However, the user was greeted with the “Sign in failed” message, instead of completing the login.

image

Then the user clicks on the “Sign in” button again, and re-try the exactly the same sign-in steps in success.

Raw Error Message

We had to open a Microsoft Support ticket to get the raw error message. The error message is not available in the Azure Portal.

Exception during OpenIdConnect or Azure Authentication in Microsoft.IdentityModel.Protocols.OpenIdConnect: IDX21323: RequireNonce is '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

Technical Analysis

Understanding Nonce

In the raw error messag above, it mentioned “Nonce was null”.

A nonce (number used once) is a security mechanism in authentication protocols. It helps prevent replay attacks by ensuring each authentication request is unique.

Nonce Mismatch

In this case, the error message “Nonce was null” indicates a discrepancy between the nonce generated by Power Pages and expected by Azure AD B2C. This often happens when:

  • A user bookmarks an Azure AD B2C login URL that included an old nonce.
  • There may be browser extensions or custom scripts interfering with nonce storage in cookies. How Nonces Work:

Power Pages redirects to Azure AD B2C, including a newly generated nonce in both the URL and a cookie. Azure AD B2C validates the nonce when the authorization response is sent back.

User Behavior Replay

When a user clicks on the “Sign In” button, the power page site redirects the user to the AAD B2C login page with a generate a nonce.

The Power Pages site URL looks like this:

https://northwindprod.powerappsportals.com/

The generated AAD B2C login page URL looks like this:

https://northwindb2cproducao.b2clogin.com/northwindb2cproducao.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1a_totp_signup_signin&client_id=09679ccb-d551-46f4-984c-24f9299d9e37&redirect_uri=https%3A%2F%2Fnorthwindprod.powerappsportals.com%2Fsignin-b2c&response_type=code%20id_token&scope=openid&state=OpenIdConnect.AuthenticationProperties%3DSoklFwaVty3CY85abAKl2lGWjEN6f_tSHqviGV8ftYpigISAo1fWRRBwCIBLoQA4_I9jYLiTtxS5-9ujt1_Kz2IhUGMOUPpDI-eCtFfDxALHcWIFpdPOiYfzMsrrMvODCFwmOTZpcViwMV_o4N3QRkeWACtCysvcoz3T3UmbhMZCW576ZHsDqJytAGQrOfSvDaU6vCoy2-NVKCo6fo5tCYshf06kOEPs-JoF3vyH4Obf01AycyP8cR-70SfUDdl7bCXQJfO4qAQxjirzYwotIXDwbDRLorichqiG9yVVWXDtFP12QyBmBTGktPPe2706psMdLL-imYo1iSzTPkzGclmZXD--U0yWR9SAU-ONjkKUioahP1PxWjNY-O7dyGQKCYqH3GI7Efb4YM2BQ0pjVnDHW8kDN0QY_3UaUOhaqVLzVZ-P1gsEyivaatlGE4tKlYuLGXaiiv5WFncFw8INRw&response_mode=form_post&nonce=638404799672326332.NmJjMzViOGItNGY5Mi00YzM1LTgzYzktZTUwMjE0NWM4YzIzMjQyMzdhMGEtNTUxYi00NzdiLWE3ZDEtZWZiOGU1NmYzODE3&ui_locales=en-US&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0

Some users bookmark the AAD B2C login page with all the query string values, including the nonce. So, if they login using the saved link, the nonce in the query string is different from the nonce in the cookie. There is no nonce in the cookie. Maybe that was the reason why we saw “Nonce was null” in the raw error message.

When the user clicks on the “Sign In” button again, a fresh nonce is generated and put in both the query string and the cookie. This is why the user can sign in successfully during the second attempt.

Possible Solutions

  • User Education: Advise users to always sign in through the Power Pages site instead of bookmarking Azure AD B2C login pages.
  • Troubleshooting: Have users try disabling browser extensions when using the site. If custom scripts modify cookies, ensure they handle nonces correctly.

Additional Considerations

  • Browser Behavior: How different browsers store and manage cookies could play a role in these situations. Azure AD B2C Configuration: Explore any specific Azure AD B2C settings that might affect nonce generation or validation.

Trouble shooting Considerations When you use browser’s developer tools to capture network traffic, please tick the “Preserve log” checkbox. This will ensure that the network traffic is not lost when the page is refreshed.

image

Reference:

  • https://learn.microsoft.com/en-us/azure/active-directory-b2c/cookie-definitions

Leave a Reply

comments powered by Disqus


Table of Content