Microsoft account with MicrosoftAccountAuthenticationOptions does not seem to work about aspnetkatana HOT 30 CLOSED

The next planned release is a 4.0 preview, I'll get this fixed by then.

from aspnetkatana.

Do you think it will be possible to ship this fix as an update for v3.1?

from aspnetkatana.

There is no update currently scheduled for v3.1 to include this in.

from aspnetkatana.

Facing same issue here 😞

from aspnetkatana.

@kichalla does this look like what you just tested?

Have you enabled logging to see what the error was? I'd be curious to see what the cookie headers looked like for the ufotoday.com requests and responses.

from aspnetkatana.

Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T05:58:25.5599057Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T05:58:58.2207908Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T05:59:32.3959578Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:05:24.8723277Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T06:05:53.8060717Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:27:53.2208334Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:28:13.0852896Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:28:17.6501093Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:29:27.0164844Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:29:27.7532943Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:29:48.4572860Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:30:14.4257449Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainUserProfile
ProcessId=6156
DateTime=2017-04-08T06:30:14.5240712Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable`1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:31:03.3935372Z

from aspnetkatana.

@kichalla does this look like what you just tested?

I verified it again now and it works for me. However, I verified it with the OOB MVC template and haven't done any customization.

from aspnetkatana.

@kichalla are you using a recent Microsoft account?
I wasn't able to find my old apps and had to create a new one with the details above,
Can you tell me if you're using the same settings?

Platforms: Web
Allow Implicit Flow: YES
Redirect URIs:
https://localhost:44300/ signin-microsoft
https://ufotoday.com/ signin-microsoft

Microsoft Graph Permissions: User.Read
Application Permissions: Profile

from aspnetkatana.

As a baseline, the MSA provider works if I only specify the ClientId and ClientSecret, no scopes required. My app does note have any Permissions specified either.

I see one small bug here with the e-mail:

var email = context.User["userPrincipalName"];
if (email != null) context.Identity.AddClaim(new Claim("urn:microsoft:email", email.ToString()));

Adding Microsoft Graph Permissions: User.Read doesn't seem to change anything. Profile does not appear to be an available Application Permission, Profile is the heading of the next config section.

Requesting scope "openid" breaks it because it does not get back an access_token, only an id_token. If you want to use this flow you'll need to use OpenIdConnect instead.

If I just specify the email or profile scopes then the login portal rejects them as invalid.

Summary: You don't need scopes, and there's a small bug we need to address with reading the e-mail.

from aspnetkatana.

Thanks @Tratcher, it works like you said, when not specifying scopes, but without the email.

Is it scheduled to be fixed on v4 only or before that?

This is my requests, just in case it can help to resolve the bug:

Request URL:https://login.live.com/oauth20_authorize.srf?client_id=388e0946-5fa0-4143-8e7a-97141200f6a6&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A44300%2Fsignin-microsoft&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ&login_hint=yovavgad%40gmail.com&ui_locales=en-US&display=page&uaid=67551f66c693422ebdb158c961e9264f&issuer=mso&tenant=common&msproxy=1
Request Method:GET
Status Code:302 Found
Remote Address:131.253.61.96:443
Referrer Policy:no-referrer-when-downgrade

Response:
Cache-Control:no-cache
Connection:close
Content-Length:0
Content-Type:text/html; charset=utf-8
Date:Thu, 13 Apr 2017 11:01:59 GMT
Expires:Thu, 13 Apr 2017 11:01:00 GMT
Location:https://localhost:44300/signin-microsoft?code=M3bd1b08f-2247-87e2-a77d-21ae9524fa50&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ
P3P:CP="DSP CUR OTPi IND OTRi ONL FIN"
Pragma:no-cache
Server:Microsoft-IIS/8.5
Set-Cookie:uaid=67551f66c693422ebdb158c961e9264f; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:MSPShared= ; HTTPOnly= ; domain=login.live.com;path=/;Expires=Thu, 30-Oct-1980 16:00:00 GMT
Set-Cookie:MSPCID=8c97e218c7fbd7f6; HTTPOnly= ; domain=login.live.com;path=/;Expires=Wed, 30-Dec-2037 16:00:00 GMT;secure=
Set-Cookie:WLOpt=credtype=1&act=[1];domain=login.live.com;path=/;Expires=Wed, 30-Dec-2037 16:00:00 GMT;secure=
Set-Cookie:SDIDC=CV5yF6wWxfqzfEa02F0JghrZfWIv24oyZDtBsxw3VJQw0sfI6M0q0GiQ7VaaLa!vgNCGdUXcwb61pdkU5kdAx83G9AocbFa9n1hYpMr2yCFV5RaQUAs01pPQCfNCUPHjNP5YU!bcspAmk!C0YMws$; expires=Wed, 30-Dec-2037 16:00:00 GMT;domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:PPAuth=CQEtjacVlSWzhNSwkLg97D3RvMSEAqAET0dUMwaMunpGQJZg5jz0xeXOjDAOw7Us9HfvhXte1RpOORlq5M74GloFBdM2k1NYwfLueF3JXkXteL5MJlvz9wK0U9sdfXS9mcvrfaD4Gj2BdyNGaj2iN0H!3EupIZnEfdOkpsUorKnruANhbexaxygaQfEdvwBFaBbgB4suejqcf9Ol8Pn1FexICcBaynNcX7fVvkH5xlMZL26Yg3ug4KAbyZ9VVCt0PuEE6N2pxOKq2DS2AXj4vEFoKGljtO!Ilrk!d2dPHanWBlD2C7UmgLuu!cMNQ$$; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:MSPRequ=lt=1492081320&co=2&id=N; secure= ;path=/;HTTPOnly=;version=1
Set-Cookie:PPLState=1; domain=.live.com;path=/;version=1
Strict-Transport-Security:max-age=31536000
X-Content-Type-Options:nosniff
X-XSS-Protection:1; mode=block

Request URL:https://localhost:44300/signin-microsoft?code=M3bd1b08f-2247-87e2-a77d-21ae9524fa50&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ
Request Method:GET
Status Code:302
Remote Address:[::1]:44300
Referrer Policy:no-referrer-when-downgrade

Response:
cache-control:no-cache
content-length:0
date:Thu, 13 Apr 2017 11:01:59 GMT
expires:-1
location:/signup-connect
pragma:no-cache
server:Microsoft-IIS/10.0
set-cookie:.AspNet.Correlation.Microsoft=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
set-cookie:.AspNet.ExternalCookie=XJl6jmIuW1xUhg8bcCpWohAv_BuCuPf4yXSvyo0YrXINkHXGB2Tf654etijqcyj5VtGnnC9b530ePZ3n4YU0jwSy3FCCGAaM-oy5Fwctw1djurbSNFY7w-I062fQRsw0Mm-8UeHWQiUznw5eMVhr-zzmtlP4EG-flxSzaJUVgDOE1iOCPWjQEPCOQoARUIVD4ND3DciJvKWys2rd5k8h-kgNV41HOHTEvoKXllvYyhCH0lyLKlmJ5yYHHepOmaywbq9ZxTMQDPVVnlustwvP7ryOrR0LgwI17sWq_-Bhq8eh18mRd7pGGfEV43dQPkSyOEp9TVdwOMmFlNilwXvRcc0dTQnbeb6OeDsgoB_Gl13IhuaJlw0Yu36am962wOuISH2WnwrO6NPbcusdHSQ59GyNruNBHqgnRZnZvOlsLnhp7S4xwtX3mYvDjeIbO2yrM8ZKWw90UvtFAv_wDyiBJdzKYj9bOjn4k7uEvo4k4M7n6OptwloOXHKIhSz4y63qNpgUGTsMou0piI1x7Q-BLHHU22ULNB-VjogjVii1B6Tov1ONnXQBt2NSJzshilOYfK-T-Jw8l4lq2C6Ngil3CAobqa0MhdOHx89oJl9qlld0rn3vAX2Yk3EOYNmcvtM1Cvp8xDvo2tTbj0C2--yplFR_6qWm9npQkQFy7dsvk-Jm-waOsl3lt7tAuTrURegvYS9zCUZBueLIGQRCyXSjsrw46U-fInu9wp0J62PDDdyccwJm9j2jui92vrs0g_qoQNuYm-cVjjnsxbfN5wpQ6l-YXBe0maWBeOXICIsFep51J2_g0yP9Vh9mIEojIZWBU6oNIR-2X19md0QJ6jnzc997rZnHRNVmiavwq-IQTSjLA8KEqpK1sdKpiz4sSzceSPaFgLqoNvi7vAQNKVJM4f_DpOMUOp7y2iACnW5mpOyI0SPR_bkh-jE2bSqg9WDRwwgfIsumC95rhh2U6Lw5f_vAQRP7XRtAmptloT9pQtp9yTwhNnfAtvH07SkRcPmIIVREMcOkkwwiFUgxqjAugbUXy1gySyg5WPQeWUQiA5okmCl-oOBa9Dt7u7wP_6NEA5Nx_-rmKOxkvRsC2njMvUIk4wgvtoHGJrQK_ikYU-urnlMWfCurp36GjL-aR8RgT-I_I-HY_nHSuEROIZCn8Oex7TQaYO017XlWnGLlZ6Uzxl1kVNrbWesQXY8o5sOp7F5XZ9OIB-PxrrJLeMtOP6bq4ewVPbU3tLBARiQt2awM-IZgd05BxKCuoO2azW2RhAfthmcTUEYMTI4nzSRZp2fX6DbjXjiXGeDr-fj_61JEfcXUa9eiHLZmpFJAXd5RGJ0jWCgwiYJ1hm9ef8A_s2I5e0---bWgTtgZVPExiO4IN6X91g_H1M8bF9pQYt-XoIMDF7hteVOyuyekO0r0xvs76knZaIPMJSuzCi90KhDuRfLcehWGXzpSBm7m145zeL-ZjxbUK2gV8yGfWnf5wEd9IGUdfusBeu7NPTX9vOzLwVCshARgzUJR-TlSKlK0zRVi7PJNG6iukozW6sVTV8PrknKXfdk1c7EWBP0SXvrza1UXmXR2jEzPSZYj1lECtefAldmqoGMtbgySvFFiIcDtEa0sieV7HDSotLtgSkAjcXFb4I_54Bhb8gNV70fO7xVaVlg0qbCGbZPKXLcPBoafBEf_wmBERAAnnMuNxLGzp5qXUI243Hq0JCm_NDnKPLyMvV1fumEKbWQc3puACWy6ErgP203mW15o3PGxOipkG4nlgfEWLe6HwPcaxfCevcM9U_x5bhU4BYzCU5ANLUgzyN9KfmsmxSey75-DBYiqf2hDAWzvtpMBlMFSSA9OWDfFt-8jdlLNUZKfU1w-fkFRDFxRs9M_K9eoStUjUq1PmPCJCw99KxdWqkxDF2ajciEc0HJTVu6Ai2gvmfFqbw; path=/; secure; HttpOnly
status:302
x-powered-by:ASP.NET
x-sourcefiles:=?UTF-8?B?ZDpcUHJvamVjdHNcUG9ydGFsRW5naW5lXFNvdXJjZVxQb3J0YWxFbmdpbmUuV2ViXHNpZ25pbi1taWNyb3NvZnQ=?=

from aspnetkatana.

We recently upgraded to v3.1 the MSA nuget. For few of the Older Apps Sign-In flow is broken. New apps created using apps.dev.microsoft.com is working. Here is the request and response logs from the broken app.

curl "https://login.live.com/oauth20_authorize.srf?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ^&login_hint=samirsolanki^%^40outlook.com^&ui_locales=en-US^&display=touch^&uaid=d3a4a0de99d744339898b660532a5508^&issuer=mso^&tenant=common^&msproxy=1" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: CkTst=G1493470936131; wlidperf=FR=L^&ST=1493470940958; MSPAuth=3rcTqA3RTEXtqfBqjPM8lsSkPuz9tZs1HAHUTqZYBh5uKl7PjdvpvgmckfUgkDgZfBpxYtxnt9iPPZn4ylST271**t7tSow5Wzlg2I804HqjX2MNCWvKcfCfcRuKDeJfpTrG7yf^!I477uPzvUZ63paw^$^$; MSPProf=3WWv^!ZPV9HHtU5OesKp9ZidFWfB35ng5QCBj3XypRgqlAKCP7vU8WLFmRhIiYD8nefO1QBBq^!6Wwh8tTd0js0bpo9pxFrlWHLi8EWz0YCz^!9hgEBojpwpiedcdyt^!AhyH^!VzflWXlt7wcJF4euKjSQY9i9Gq1GRI84dmogEEtKWxlNaxZhPIdCvPLAxrhUsg67BdEEUUjJrUEpAOedjuVYHkOZWdEJ1; MH=MSFT; NAP=V=1.9^&E=135d^&C=rBC8b6WAw4Ya8XSL46FWW5pmXq8BBsLfjpH81TAeHxXJX1RBMTcb7w^&W=1; ANON=A=48F68EFA3850702622159956FFFFFFFF^&E=13b7^&W=1; LOpt=0; WLSSC=EgAxAgMAAAAEgAAADAABZbRSsEMxqH6HSpRNFBSjcvvZFgiGHKCwblLui9cIkXaBVmb2LfFWpuljc4x+pPzopICUHItQSFOc7w2DbhyvuAVdwhUlBzLK0bi5OitejDhgrwRB43Fbr8FMcIGLYazWjnMFXEzAjADtB8Qf2vABUF6co8880s57Td+yUIQXoRNTznqtTwI5wWpVCmUkM9ox11n0hF8Iq0L/RwXoqlimqR3gSO1bpuVyMlJeP6p8ELheMSax+bKNJuge4Dyr1PIhxWfm2E8aB9mBtMMlrit4aPysZlvWdLQsiwvK9NMyf+p0KBe3tGMqQJrVrvH2J8eCuNcYRA8UFxvGEXL2KBLJniABdAAgAf5/AwDvPEm33Y4EWd2OBFkQJwAAChCgACAZAHNhbWlyc29sYW5raUBvdXRsb29rLmNvbQBkAAAlc2FtaXJzb2xhbmtpJW91dGxvb2suY29tQHBhc3Nwb3J0LmNvbQAAAFdVUwAFOTgwMDcAAIwBQAkCAAB2Y21AEAZDAAVTYW1pcgAHU29sYW5raQRfAAAAAAAAAAAAAAAAAAAAAHNtVasIbPlDAADdjgRZ3TV7WQAAAAAAAAAAAAAAAA8AMTMxLjEwNy4xNTkuMTAABQEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAG1Befi827MFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; MSPPre=samirsolanki^@outlook.com^|086cf943736d55ab^|^|; PPAuth=CVbpD4nZQuKFWFc31ShtBDZNu122KOHs6UOKaLO^!X^!IEXfBI7aGprHX1nXktlNxDcAID1KAmIoZrE88QS45xauIFNiLWrbMkpaIo2FAvTrN3J9oz5gBE8NwdKHo1mFmSfYFsH2JgjFQPiaEtUkOKWYk5SxZmX9s4MQbkKP6l^!sulwTI0xbI*^!^!rbI**eAYIwbVkt4Se^!8vowGR1iNiwBTgAzMApmPY8B7KlIomOfp9Nxq^!YfwG01weZjkJAE1tv7dcAQofGvYE^!RmGcSd9p96^!CONC5T2PGB^!T78vN5nHqHWhMhq7meJg8Xbdhew^$^$; PPLState=1; MSPCID=086cf943736d55ab; WLOpt=credtype=1^&act=^[1^]; SDIDC=CdKgcbj0NG2ElT56GMk7F8MxaHZfFpXzQPZGSB8NA8yzeC2ROI6rDP^!oq0NuaFA4JyOu4Q2I6mrrk9YAOEbE0pQXB3DkygNK1dLM9IJO5w7DCf7Tz3CW10kRwQj0iukOEOEUrqlLupY2ovpmUHX9Y^$; uaid=d1db34990f3c4d28aade292265368ce1; MSPRequ=lt=1493472485^&id=N^&co=1" -H "Connection: keep-alive" --compressed &

curl "https://apiphany.portal.azure-api.net/signin-microsoft?code=M4037627b-2950-3ddb-cb56-e7966534bb6e^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: __RequestVerificationToken=ofhDFf6csJ-rZbIZD1Ppzhlee-Mwap-VWvidSSA994B0-h_ox9beypDzOGkK0E5jrO_VbGP2sIU4Bere9b-DAWrR64mz6AmOy-zDHLFyU1gc_XONySPrfE098IMV14t1XiUAmvFPrVsihKzrKCj0Dg2; .AspNet.Correlation.Microsoft=1i0UzWxMpFlfIadNdf-SnXsnJdqwFsg1AK2sWxsoyCI" -H "Connection: keep-alive" --compressed &

curl "https://apiphany.portal.azure-api.net/signin-callback?provider=Microsoft^&error=access_denied" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: __RequestVerificationToken=ofhDFf6csJ-rZbIZD1Ppzhlee-Mwap-VWvidSSA994B0-h_ox9beypDzOGkK0E5jrO_VbGP2sIU4Bere9b-DAWrR64mz6AmOy-zDHLFyU1gc_XONySPrfE098IMV14t1XiUAmvFPrVsihKzrKCj0Dg2" -H "Connection: keep-alive" --compressed &

from aspnetkatana.

I am facing the same issue in my ASP.NET MVC projects after update the Microsoft.Owin.x nuget packages from v3.0.1 to v3.1.0.

I have opened this question on ASP.NET forum but no fix solution until this moment:
ASP.NET MVC 5 - Microsoft Account OAuth2 sign-on stop to work after update the Microsoft.Owin packages from v3.0.1 to v3.1.0

from aspnetkatana.

I am also facing this issue. I can't get the MS account auth to work even with no scopes. Whenever the client returns to the /signin-microsoft endpoint it redirects and returns the access_denied error. I've taken a look at the Katana.trace.log and see the following:

Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=13864
DateTime=2017-06-16T06:00:23.0808494Z

That doesn't make sense - I cannot see any 400 errors (looking at fiddler all I see is 200s then 302s - in fact I can even see a 302 with /signin-microsoft?code=blah-blah so it looks like it should work!) until it redirects back to my GetExternalLogin page - then it's just the unhelpful access_denied error.

Is there any way I can see more of what's happening under the hood to find out the actual error? Or does anyone have any suggestions as to how to make this work? Thanks!

from aspnetkatana.

The 400 is happening on the backchannel. The server/middleware sends requests to microsoft to exchange the code and to get user information. To capture that traffic you can use a network level tracer like Message Analyzer https://www.microsoft.com/en-us/download/details.aspx?id=44226.

from aspnetkatana.

Hello

I have the same issue described in this topic. I used the workaround for email retrieve using "userPrincipalName" and it works. Still, I encounter another problems when having a gmail account which is linked to the Microsoft account(first gmail account is created). In the previous version (3.0.1) the provider was Google and now the provider is Microsoft (claims.Current.OriginalIssuer). The username(urn:microsoftaccount:name) in this case is not filled though the firstname and lastname are set in the Microsoft account:

2017-06-20T06:37:53 PID[9784] Information http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier c8XXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
2017-06-20T06:37:53 PID[9784] Information urn:microsoftaccount:id c8XXXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information urn:microsoftaccount:name
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:@odata.context https://graph.microsoft.com/v1.0/$metadata#users/$entity
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:givenName
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:surname
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:id c8XXXXXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:userPrincipalName [email protected]

Is there

from aspnetkatana.

This should be easy to work around by directly extracting "userPrincipalName" from the JObject User on the context.

Could someone please clarify where I should be extracting the userPrincipalName? I'm currently doing it in the overridden Authenticated method of the custom Provider in my MicrosoftAccountAuthenticationOptions but that code doesn't get hit before I get an error...

from aspnetkatana.

I do not know if following is the correct way of doing it, but it works for us. We just wanted the email address

var ms = new MicrosoftAccountAuthenticationOptions
{
AuthenticationType = "Microsoft",
SignInAsAuthenticationType = signInAsType,
ClientId = MSID,
ClientSecret = MSSecrete,
Provider = new MicrosoftAccountAuthenticationProvider
{
OnAuthenticated = (context) =>
{
//#48
var email = context.User["userPrincipalName"];
if (email != null)
{
context.Identity.AddClaim(new Claim("email", email.ToString()));
}
return Task.FromResult(0);
}
}
};
app.UseMicrosoftAccountAuthentication(ms);

from aspnetkatana.

Thanks @ShenglinGuo
I've just attempted to do it that way but, unfortunately, the OnAuthenticated code is never hit :(
I'll have to see if I can see any errors in the backchannel using Message Analyzer - that thing is confusing!

from aspnetkatana.

Turns out I had missed that the API has been updated (and v3.1 must use that updated version). Once I signed up for a new app account (https://apps.dev.microsoft.com) then it worked for me, with the workaround (haven't tried without).
It would be nice if it gave a more helpful error message. I spent days troubleshooting it and trying different approaches. It seems odd that it all works right up until the last step (i.e. you can get to the MS page and login without any kind of indication that you're using a v1 app on the v2 connection) - I think that was why it took me so long to realise. It really should produce an error earlier. Also would be nice if there was more documentation or some kind of notice letting users know that v3.1 uses the new API.

from aspnetkatana.

@psillar it may work for you if you're not trying to extract email information, that part doesn't work.

from aspnetkatana.

Oh, with the workaround it works for me - I get the email information that way or am I missing something?

from aspnetkatana.

Hi @psillar, I just tried it but it's not working for me, just to be sure, can you go to your bin folder and locate Microsoft.Owin.dll then right click it --> properties --> details --> file version - do you have 3.1.60405.82 ?

from aspnetkatana.

Hi @YovavGad, yes that's the version I'm using. I do the email capture a bit differently, however:

var email = context.User["userPrincipalName"];
if (email != null)
    context.Identity.AddClaim(new Claim(ClaimTypes.Email, email.ToString()));

from aspnetkatana.

This is what I was trying but my email comes out empty...

from aspnetkatana.

Ok, when I created the app credentials in apps.dev.microsoft.com I selected the 'email' Delegated Permission under Microsoft Graph Permissions. I'm not sure if that makes a difference?

from aspnetkatana.

So, what's the deal with this? I'm having some trouble making this work at the moment - my request is being sent back to path /#error=access_denied.

This seems to happen after the execution of the OAuthAuthorizationServerProvider library where I call context.Validated(), but before it ever hits my WebApi code. I tried the OnAuthorized function as suggested by psillar and ShenglinGuo, but it doesn't seem to ever get called.

EDIT: Problem ended up being, ultimately, that I had to request User.Read, openid, email, and pull the email from that userPrincipalName, like psillar and ShenglinGuo suggested. Took downloading, compiling, and debugging into source to work that one out, but confirmed working on my app using the 3.1 version of the code/Nuget.

from aspnetkatana.

#89

from aspnetkatana.

Hi @Tratcher

This issue is still reproducible after update the Microsoft.Owin.Security.MicrosoftAccount package of my visual studio project to v4.0.0-alpha1.

Do you think that we should open other issue for tracking it?

Here are more details about this issue:
ASP.NET MVC 5 - Microsoft Account OAuth2 sign-on stop to work after update the Microsoft.Owin packages from v3.0.1 to v3.1.0

Thanks in advance,
Luciano

from aspnetkatana.

I have open the new issue #112 for tracking it.

from aspnetkatana.

What is the uaid?

from aspnetkatana.