netcore with azure ad using oidc and the browser back button after sign in causing exceptions

Question

So I have a newly created netcore application linked to my azure active directory account with middleware setup as follows:

       app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AutomaticAuthenticate = true,
            AutomaticChallenge = true                
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            AutomaticAuthenticate = true,
            AutomaticChallenge = true, 
            ClientId = Configuration["Authentication:AzureAd:ClientId"],
            Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
            CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],                                 
            Events = new OpenIdConnectEvents
            {
                OnAuthenticationFailed = OnAuthenticationFailed,
                OnAuthorizationCodeReceived = OnAuthorizationCodeReceived                                           
            }
        });

My Callback path a default of "CallbackPath": "/signin-oidc", and my azure sign on url is http://localhost:20352/ with a reply url of http://localhost:20352/signin-oidc

Now I can go through the sign in process fine, but if you hit the browser back button a few times I'm hitting this blow up:

An unhandled exception occurred while processing the request.

Exception: Correlation failed. Unknown location

AggregateException: Unhandled remote failure. (Correlation failed.) Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.d__5.MoveNext()

How or where can I catch this exception to handle it accordingly? Or is there something wrong with my middleware setup that is causing this.

The two events above are never hit.

Edit: May be helpful to know the blow up URL from the browser back button is "http://localhost:20352/signin-oidc"

Which this obviously doesnt exist as a valid controller / action route

Answer 1

This error when you click the back button is due to the browser re-using a call to the Authorize endpoint of your identity provider, with the old Nonce and State parameters which are no longer valid.

When your application issues an authentication challenge and initiates a redirect to your identity provider, it temporarily stores those values so that it can verify that the response and token obtained in the callback are valid. This is what is meant by "Correlation".

The reason that your event handlers are not being called is that you want to handle the RemoteFailure event instead, e.g. redirect to an error screen:

public class AuthenticationEvents : OpenIdConnectEvents
{
    public override Task RemoteFailure(FailureContext context)
    {
        context.HandleResponse();
        context.Response.Redirect("/Home/Error");
        return Task.FromResult(0);
    }
}