I recently completed an OpenId Connect integration of OneLogin to our asp.net core webapp.
I implemented the "authentication flow" and used the OneLogin OIDC .net sample app as a basis: https://github.com/onelogin/openid-connect-dotnet-core-sample
In our development and staging environments the OIDC integration works as expected, but in our production environment we see an oddity:
Once the user has completed their login and MFA challenge (we use Duo for the MFA challenge) the user is redirected back to perform their MFA challenge for a second time. After they've been through the MFA challenge for a second time, the flow redirects back to our app as expected.
Analysing the http requests it's clear that this looping back to the beginning of the MFA challenge is happening prior to the .net core "signin-oidc" callback in our web app. It all appears to be on the OneLogin side of things.
Specifically, after the MFA challenge hass succeeded a request is made like so:
GET https://ourdomain.onelogin.com/trust/openid-connect/v2?client_id=etc
The result of the request is a redirect back to the start of the MFA challenge i.e.
https://ourdomain.onelogin.com/login2/?return=
I'd expect the user to only have to complete the MFA challenge once, instead of the twice that we're seeing.
I'm struggling to diagnose the issue as it doesn't appear to be related to my code. Any ideas?
After going through OneLogin support this turned out to be a bug on their side. A workaround was to change the configuration option which controls how often to show the MFA. (It was previously set to always show the MFA challenge)