Authentication does not work in ASP.NET MVC OpenIdConnect when I turn off Implicit Flow

Reza · March 1, 2021, 3:30pm

I followed the documentation regarding how to implement Authentication Code Flow

Authorization Code Flow
Add Login Using the Authorization Code
Also, as was suggested in the latter, I followed the Quckstart as well, making sure my code and config are identical to the given example.

Then I disabled all the authentication flows except Authorization Code and Refresh Token. Now I when I try login with my test user I get an error saying:
unauthorized_client : Grant type ‘implicit’ not allowed for the client.

When I enable Implicit flow of course it works, but why would I need to enable it even though the documentation says I’m doing an Authorization Code flow?

If the documentation is wrong (or misleading) how can I enable Authorization Code flow (as opposed to Implicit flow) in the given ASP.NET MVC (OWIN) example?

cibrax · March 1, 2021, 5:05pm

Hi Reza,

What OWIN example are you using for this ? Implicit Flow runs client side (javascript apps). In an MVC application, there is a callback url running server side so it should be Authorization Code Flow as you stated. In your case, it seems the redirection to the Authorization Server is happening client side so it tries to use implicit flow.

Thanks

Reza · March 2, 2021, 6:59am

Thanks for your reply!

I am using this example:

This is the redirection I pasted from the browser; broken down in multiple lines to make it more readable.
https://.eu.auth0.com/authorize?client_id=&
redirect_uri=%2Fcallback&
response_type=code%20id_token&
scope=openid%20profile%20email&state=OpenIdConnect.AuthenticationProperties%3D4Lp7Uxk2sNstiaR2pqrC3PJwy8r_YzVlLEbl_hEpf-3N6yzQ_VTw2jXFKXTsg4I7I_AbhDv8CMimSoiVHeLl_nDDrKpajQQVjhp2gdnbJ7IOfLl1H-PRsGFXTnjFt-5CK7IZHLxC1mpyWuKmm7I7Vbh9Fzu4FpC3NXi71fYoZO7iRvcjesINmAdQc3xgOsO690jyxkG_f1xn1C5fBSiGiKN_4ARi4XU9YDl3tdqr11g&
response_mode=form_post&
nonce=637502075583186529.MTNhZmVhYWUtZDdjZi00YjZlLThlZGQtYzU4NDUyYTU0NDIwZjBiZmM3M2YtMTVjZS00YmQzLTkyYzUtZWIyOTA5ODIwYjE3&
x-client-SKU=ID_NET461&
x-client-ver=5.3.0.0

I’m also expecting it to be Authorization Code Flow, but why when I turn off Implicit in the Advanced settings, it stops working and gives me the error:

cibrax · March 2, 2021, 1:10pm

Everything on your end looks right to me. Even the response type in the URL is code, which means Autorization Code Flow.

This looks more like an issue on the Auth0 side to me.

Thanks