1 Reply Latest reply on May 22, 2018 5:28 PM by jdryden

    An issue in using OpenId Connect with PI Vision


      We would like to use openid connect with PI vision through IdP,  we developed the IdP based on Identityserver4. After configuration claims authentication  for PI Vision,

      The PI vision website can redirect to identityserver(SSO) Login Form when we tried to open the  PI vision website, then we input username and password in SSO, the

      SSO can authenticate the user, But, the browser threw  following expection after login.

      "IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'."

      Do you have any idea about this expection?

      Thank you in advance.

        • Re: An issue in using OpenId Connect with PI Vision

          The IDX10311 error that you mentioned can be caused by the browser not correctly sending a cookie to PI Vision when the browser is redirected back to PI Vision by the IdP. One potential situation where this can occur is when the redirect URL in your OpenID Connect client configuration uses a different domain name than is used to initially connect to PI Vision.


          For example, when you first connect to PI Vision using a hostname:




          But are then redirected back to PI Vision using FQDN (per your OID client config):




          In this scenario, your browser receives a nonce in a cookie from myPIVisionServer but it will not send this cookie back when redirected instead to myPIVisionServer.abc.com, because your browser considers these to be different domains.


          Are you connecting to PI Vision using the exact same domain name as your redirect_uri setting on your OpenID Connect client configuration? If not, please try doing so.


          If you do not suspect the above reason for the issue, please inspect the first request made to PI Vision after being redirected back from your IdP, it should be a POST to /PIVision/ that includes a cookie header:

          If this header is missing or does not include a value of "OpenIdConnect.nonce...", then a browser policy may be blocking the cookie from being sent.

          2 of 2 people found this helpful