[Bug] exception when deserialize openid provider configuration in net8.0.100-rc.1

[Sebbstar]

Which version of Microsoft.IdentityModel are you using?

using Microsoft.IdentityModel 7.00.2.40929

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

Is this a new or an existing app?

We are developing an app and switched to net8.RC recently. But in net8 the Authorization server metadata couldn't get parsed any longer. Probably because of a upper case letter in the json configuration properties.

Repro

We are using the OpenIdConnect middleware for oauth authentification.
using in conjunction with net7 works fine but using 8.0.100-rc.1.23455.8 fails with the exception appended at the end. Maybe it is problem of the underlying json deserializer.

Our oauth providers , I guess a bit special, configuration 🙄 returns the property Response_modes_supported twice. One starts with an upper case "R" which seems to be the problematic character.

https://[identity.myurl.com/oauth2/token/.well-known/openid-configuration](https://identity.myurl.com/oauth2/token/.well-known/openid-configuration)

{
    "request_parameter_supported": true,
    "claims_parameter_supported": true,
    "introspection_endpoint": "https://identity.xxxx.com:443/oauth2/xxx",
    "Response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
}

Expected behavior
I expect to be able to use the oauth provider with net8 like in net7.
Our oauth provider is quite reluctant to change anything so I hope it is possible to make net8 at this point compatible to net7

Actual behavior
OpenIdConnectConfigurationSerializer throws an exception when trying to deserialize the oauth provider configuration

Possible solution

Additional context / logs / screenshots / links to code

fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
      An unhandled exception has occurred while executing the request.
      System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://identity-t.myurl.com/oauth2/token/.well-known/openid-configuration'. Will retry at '10/04/2023 09:25:11 +00:00'. Exception: 'System.Text.Json.JsonException: IDX11022: Expecting json reader to be positioned on 'JsonTokenType.StartArray', reader was positioned at: 'String', Reading: 'Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration.response_modes_supported', Position: '177', CurrentDepth: '2', BytesConsumed: '184'.
         at Microsoft.IdentityModel.Tokens.Json.JsonSerializerPrimitives.ReadStrings(Utf8JsonReader& reader, ICollection`1 strings, String propertyName, String className, Boolean read)
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(Utf8JsonReader& reader, OpenIdConnectConfiguration config)
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(String json, OpenIdConnectConfiguration config)
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(String json)
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
         at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)'.
       ---> System.Text.Json.JsonException: IDX11022: Expecting json reader to be positioned on 'JsonTokenType.StartArray', reader was positioned at: 'String', Reading: 'Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration.response_modes_supported', Position: '177', CurrentDepth: '2', BytesConsumed: '184'.
         at Microsoft.IdentityModel.Tokens.Json.JsonSerializerPrimitives.ReadStrings(Utf8JsonReader& reader, ICollection`1 strings, String propertyName, String className, Boolean read)
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(Utf8JsonReader& reader, OpenIdConnectConfiguration config)
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(String json, OpenIdConnectConfiguration config)
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(String json)
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
         at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
         --- End of inner exception stack trace ---
         at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
         at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
         at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
         at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
         at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
         at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.<>c__DisplayClass0_0.<<HandleAsync>g__Handle|0>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
info: Microsoft.Hosting.Lifetime[0]
      Application is shutting down...
exited with code 0

[brentschmaltz]

@Sebbstar we see the problem, should have a fix out soon.

[brentschmaltz]

@Sebbstar this was fixed with #2491

We should have a release out soon.

[eaexo]

@brentschmaltz is it really fixed and released?

I have net 8 sdk 8.0.303 and NET 8.0.8 and also have an issue where both Response_modes_supported and response_modes_supported are contained in the openid provider configuration.

[eaexo]

@brentschmaltz is it really fixed and released?

I have net 8 sdk 8.0.303 and NET 8.0.8 and also have an issue where both Response_modes_supported and response_modes_supported are contained in the openid provider configuration.

the issue was, then even I used
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.8" />

it pulled Microsoft.IdentityModel.Protocols.OpenIdConnect 7.1.2 and dependencies.

I had to add
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.0.2"/>
to my csproj file, now it works :-)