Problem Description: I’m encountering an issue with Microsoft login integration using OpenID Connect in my ASP.NET Core application specifically in the production environment.
Locally, the authentication works fine, but when deployed to production, I’m consistently receiving the following exception:
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: ‘invalid_grant’, error_description: ‘AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: 799927cb-d118-4e83-b1e4-6f2ebe724400 Correlation ID:
Environment: this issue is specific to the production environment; locally, the authentication process works as expected.
Code: I’ve included the relevant code snippet from my Program.cs file where I configure the authentication using AddOpenIdConnect.
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "OpenIdConnect";
})
.AddCookie(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.HttpOnly = true;
})
.AddOpenIdConnect("OpenIdConnect", options =>
{
var microsoftOptions = builder.Services.BuildServiceProvider().GetRequiredService<IOptions<MicrosoftAuthenticationOptions>>().Value;
options.ClientId = microsoftOptions.ClientId;
options.ClientSecret = microsoftOptions.ClientSecret;
options.Authority = microsoftOptions.Authority;
options.CallbackPath = "/signin-oidc";
options.ResponseType = "code";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = options.Authority,
ValidAudience = options.ClientId
};
options.SaveTokens = true;
options.UsePkce = true;
options.Scope.Add("openid");
options.Scope.Add("email");
options.Scope.Add("profile");
options.UseTokenLifetime = false;
});
Troubleshooting steps taken:
- Checked the client credentials (client ID and secret) to ensure they are correct.
- Verified the authority URL and callback path configuration.
- Reviewed the token validation parameters to ensure they are set correctly.
- Tried adjusting the authentication settings such as
UsePkceandUseTokenLifetime, but the issue persists.
Goals
- I want to understand why this exception occurs specifically in the production environment. In the local environment, it’s working well.
- I want to identify any misconfiguration or issues in the authentication setup.
- Find a resolution or workaround to successfully authenticate users with Microsoft login using OpenID Connect in the production environment.
Any insights or suggestions on resolving this issue would be greatly appreciated. Thank you in advance for your assistance!
Make sure the server’s time is synchronized with Coordinated Universal Time (UTC).
Check this github.com/AzureAD/microsoft-identity-web/issues/2328