AuthenticationRequestHandlerWrapper throw An error was encountered while handling the remote login while calling HandleRequestAsync method

[Rahul21199]

Which version of Duende IdentityServer are you using?
7.0.6

Which version of .NET are you using?
8

Describe the bug

We are intermittently encountering a Microsoft.AspNetCore.Authentication.AuthenticationFailureException error with the message 'An error was encountered while handling the remote login.' The exact cause of this issue is unclear as it occurs randomly. Below is the complete stack trace:

StackTraceString:
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in //src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 38
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in //src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 44
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

Any insights or suggestions on how to resolve this would be greatly appreciated.

[RolandGuijt]

Can you tell us more about your setup? It looks like you're the dynamic provider feature. Can you please share the configuration of the provider in question.? Is it just happening with one particular provider or with others as well?

[Rahul21199]

Seems issue is with NonceCookie expiry . dotnet/aspnetcore#58780 . i am able to reproduce it by waiting 15 min in login page

[RolandGuijt]

This is common when a user takes too long to login. The reason is that the Microsoft ASP.NET Core OIDC handler generates some correlation values and puts them into a cookie in the client app, and then when the OIDC response returns to the client app the correlation cookie in the client app has expired. If you the expiration timeout to a value that is too big, then if the client creates lots of OIDC requests you'll end up with too many cookies creating another issue.

I recommend handling the error in the client and prompting the user if they want to try to login again. Chances are when you re-trigger OIDC they will still have a valid SSO session at IdentityServer.

[maartenba]

(note: we're moving this issue to our new community discussions)

[RolandGuijt]

@Rahul21199 Did my comment help you out? If not feel free to follow up. Else I'd like to close this.