ASP.Net website error logging in with AnomalyDetected

ready1 · January 16, 2019, 2:34am

Hi,

Our website has all off a sudden stopped being able to log in even though no changes has been updated to the project or auth0 settings.

Our project is an asp.net mvc and we use auth0 sdk in .net to do custom login. Our version of the .net is 4.6.2 and the auth sdk version is currently 4.2.0.

The code we used to log in a user is:

            var auth0 = new AuthenticationApiClient(new Uri("https://" + ConfigurationManager.AppSettings["auth0:Domain"]));
            var redirectUri = Request.Url.Scheme + "://" + Request.Url.Authority + "/signin-auth0";
            var response = await auth0.UsernamePasswordLoginAsync(new UsernamePasswordLoginRequest
            {
                Username = model.Email.Trim().ToLower(),
                Tenant = ConfigurationManager.AppSettings["auth0:Domain"].Split('.')[0],
                ClientId = ConfigurationManager.AppSettings["auth0:ClientIdForApi"],
                Connection = ConfigurationManager.AppSettings["auth0:ClientDatabase"],
                ResponseType = "code",
                RedirectUri = redirectUri,                    
                Password = model.Password,
                Scope = "openid email"                    
            });

and all of a sudden today we are now getting an exception when auth0.UsernamePasswordLoginAsync is invoked with this error:

ApiError:{
 Error: "AnomalyDetected",
 ErrorCode: "access_denied",
 Message: "Invalid state",
 StatusCode: 403
}

Any help would be appreciated.

Regards,
Jeremy

nicolas_sabena · January 21, 2019, 5:03pm

Hi @ready1

UsernamePasswordLoginAsync uses the /usernamepassword/login endpoint. This endpoint was deprecated at the beginning of 2018, so that it can’t be used except in the hosted login page. It was marked as obsolete in the .Net SDK and later removed.

I’m surprised it worked so long for you, TBH. In any case, the recommended path for ASP.Net MVC (pre .Net Core) apps is to use the OWIN OpenIdConnect middleware (as exemplified in our OWIN quickstarts), which handles all the OIDC protocol for you. See Auth0 ASP.NET (OWIN) SDK Quickstarts: Login for more details.