OpenIdConnectProtocolValidator cannot validate state

[DevJasperNL]

We are currently in the process of hardening our OIDC implementation. As part of this, we want state to be validated.

However, after enabling RequireState and RequireStateValidation, we get an exception:
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidStateException: 'IDX21329: RequireState is 'True' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.'

After further investiation, I see that inside the OpenIdConnectProtocolValidator, OpenIdConnectProtocolValidationContext.State remains null.

When looking into where this is created, it seems that State is never set on this context:

AspNetKatana/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs

Line 390 in ab378cf

Options.ProtocolValidator.ValidateAuthenticationResponse(new OpenIdConnectProtocolValidationContext()

[DevJasperNL]

Related ASPNETCORE issue: dotnet/aspnetcore#52400

[Rora]

I also need to know how to leverage the state, is there any update or expected timeline on this?

[RickvF]

I am facing the same issue. Can anyone please give an update on this?

[Tratcher]

This product is in maintenance mode, feature updates aren't expected. If someone would like to submit a PR then we can at least get this into the nightly builds.