Comments (30)
The next planned release is a 4.0 preview, I'll get this fixed by then.
from aspnetkatana.
Do you think it will be possible to ship this fix as an update for v3.1?
from aspnetkatana.
There is no update currently scheduled for v3.1 to include this in.
from aspnetkatana.
Facing same issue here 😞
from aspnetkatana.
@kichalla does this look like what you just tested?
Have you enabled logging to see what the error was? I'd be curious to see what the cookie headers looked like for the ufotoday.com requests and responses.
from aspnetkatana.
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T05:58:25.5599057Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable
1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T05:58:58.2207908Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T05:59:32.3959578Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable
1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:05:24.8723277Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T06:05:53.8060717Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable
1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:27:53.2208334Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:28:13.0852896Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:28:17.6501093Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:29:27.0164844Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:29:27.7532943Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:29:48.4572860Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:30:14.4257449Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainUserProfile
ProcessId=6156
DateTime=2017-04-08T06:30:14.5240712Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable`1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:31:03.3935372Z
from aspnetkatana.
@kichalla does this look like what you just tested?
I verified it again now and it works for me. However, I verified it with the OOB MVC template and haven't done any customization.
from aspnetkatana.
@kichalla are you using a recent Microsoft account?
I wasn't able to find my old apps and had to create a new one with the details above,
Can you tell me if you're using the same settings?
Platforms: Web
Allow Implicit Flow: YES
Redirect URIs:
https://localhost:44300/ signin-microsoft
https://ufotoday.com/ signin-microsoftMicrosoft Graph Permissions: User.Read
Application Permissions: Profile
from aspnetkatana.
As a baseline, the MSA provider works if I only specify the ClientId and ClientSecret, no scopes required. My app does note have any Permissions specified either.
I see one small bug here with the e-mail:
It first checks for the
"mail"
entry, which is present but null
, so it returns string.Empty. Then it checks if that value was null, which does not match string.Empty, so it does not proceed to get the real e-mail value from "userPrincipalName"
. This should be easy to work around by directly extracting "userPrincipalName"
from the JObject User on the context.
var email = context.User["userPrincipalName"];
if (email != null) context.Identity.AddClaim(new Claim("urn:microsoft:email", email.ToString()));
Adding Microsoft Graph Permissions: User.Read
doesn't seem to change anything. Profile does not appear to be an available Application Permission, Profile is the heading of the next config section.
Requesting scope "openid"
breaks it because it does not get back an access_token, only an id_token. If you want to use this flow you'll need to use OpenIdConnect instead.
If I just specify the email or profile scopes then the login portal rejects them as invalid.
Summary: You don't need scopes, and there's a small bug we need to address with reading the e-mail.
from aspnetkatana.
Thanks @Tratcher, it works like you said, when not specifying scopes, but without the email.
Is it scheduled to be fixed on v4 only or before that?
This is my requests, just in case it can help to resolve the bug:
Request URL:https://login.live.com/oauth20_authorize.srf?client_id=388e0946-5fa0-4143-8e7a-97141200f6a6&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A44300%2Fsignin-microsoft&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ&login_hint=yovavgad%40gmail.com&ui_locales=en-US&display=page&uaid=67551f66c693422ebdb158c961e9264f&issuer=mso&tenant=common&msproxy=1
Request Method:GET
Status Code:302 Found
Remote Address:131.253.61.96:443
Referrer Policy:no-referrer-when-downgradeResponse:
Cache-Control:no-cache
Connection:close
Content-Length:0
Content-Type:text/html; charset=utf-8
Date:Thu, 13 Apr 2017 11:01:59 GMT
Expires:Thu, 13 Apr 2017 11:01:00 GMT
Location:https://localhost:44300/signin-microsoft?code=M3bd1b08f-2247-87e2-a77d-21ae9524fa50&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ
P3P:CP="DSP CUR OTPi IND OTRi ONL FIN"
Pragma:no-cache
Server:Microsoft-IIS/8.5
Set-Cookie:uaid=67551f66c693422ebdb158c961e9264f; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:MSPShared= ; HTTPOnly= ; domain=login.live.com;path=/;Expires=Thu, 30-Oct-1980 16:00:00 GMT
Set-Cookie:MSPCID=8c97e218c7fbd7f6; HTTPOnly= ; domain=login.live.com;path=/;Expires=Wed, 30-Dec-2037 16:00:00 GMT;secure=
Set-Cookie:WLOpt=credtype=1&act=[1];domain=login.live.com;path=/;Expires=Wed, 30-Dec-2037 16:00:00 GMT;secure=
Set-Cookie:SDIDC=CV5yF6wWxfqzfEa02F0JghrZfWIv24oyZDtBsxw3VJQw0sfI6M0q0GiQ7VaaLa!vgNCGdUXcwb61pdkU5kdAx83G9AocbFa9n1hYpMr2yCFV5RaQUAs01pPQCfNCUPHjNP5YU!bcspAmk!C0YMws$; expires=Wed, 30-Dec-2037 16:00:00 GMT;domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:PPAuth=CQEtjacVlSWzhNSwkLg97D3RvMSEAqAET0dUMwaMunpGQJZg5jz0xeXOjDAOw7Us9HfvhXte1RpOORlq5M74GloFBdM2k1NYwfLueF3JXkXteL5MJlvz9wK0U9sdfXS9mcvrfaD4Gj2BdyNGaj2iN0H!3EupIZnEfdOkpsUorKnruANhbexaxygaQfEdvwBFaBbgB4suejqcf9Ol8Pn1FexICcBaynNcX7fVvkH5xlMZL26Yg3ug4KAbyZ9VVCt0PuEE6N2pxOKq2DS2AXj4vEFoKGljtO!Ilrk!d2dPHanWBlD2C7UmgLuu!cMNQ$$; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:MSPRequ=lt=1492081320&co=2&id=N; secure= ;path=/;HTTPOnly=;version=1
Set-Cookie:PPLState=1; domain=.live.com;path=/;version=1
Strict-Transport-Security:max-age=31536000
X-Content-Type-Options:nosniff
X-XSS-Protection:1; mode=blockRequest URL:https://localhost:44300/signin-microsoft?code=M3bd1b08f-2247-87e2-a77d-21ae9524fa50&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ
Request Method:GET
Status Code:302
Remote Address:[::1]:44300
Referrer Policy:no-referrer-when-downgradeResponse:
cache-control:no-cache
content-length:0
date:Thu, 13 Apr 2017 11:01:59 GMT
expires:-1
location:/signup-connect
pragma:no-cache
server:Microsoft-IIS/10.0
set-cookie:.AspNet.Correlation.Microsoft=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
set-cookie:.AspNet.ExternalCookie=XJl6jmIuW1xUhg8bcCpWohAv_BuCuPf4yXSvyo0YrXINkHXGB2Tf654etijqcyj5VtGnnC9b530ePZ3n4YU0jwSy3FCCGAaM-oy5Fwctw1djurbSNFY7w-I062fQRsw0Mm-8UeHWQiUznw5eMVhr-zzmtlP4EG-flxSzaJUVgDOE1iOCPWjQEPCOQoARUIVD4ND3DciJvKWys2rd5k8h-kgNV41HOHTEvoKXllvYyhCH0lyLKlmJ5yYHHepOmaywbq9ZxTMQDPVVnlustwvP7ryOrR0LgwI17sWq_-Bhq8eh18mRd7pGGfEV43dQPkSyOEp9TVdwOMmFlNilwXvRcc0dTQnbeb6OeDsgoB_Gl13IhuaJlw0Yu36am962wOuISH2WnwrO6NPbcusdHSQ59GyNruNBHqgnRZnZvOlsLnhp7S4xwtX3mYvDjeIbO2yrM8ZKWw90UvtFAv_wDyiBJdzKYj9bOjn4k7uEvo4k4M7n6OptwloOXHKIhSz4y63qNpgUGTsMou0piI1x7Q-BLHHU22ULNB-VjogjVii1B6Tov1ONnXQBt2NSJzshilOYfK-T-Jw8l4lq2C6Ngil3CAobqa0MhdOHx89oJl9qlld0rn3vAX2Yk3EOYNmcvtM1Cvp8xDvo2tTbj0C2--yplFR_6qWm9npQkQFy7dsvk-Jm-waOsl3lt7tAuTrURegvYS9zCUZBueLIGQRCyXSjsrw46U-fInu9wp0J62PDDdyccwJm9j2jui92vrs0g_qoQNuYm-cVjjnsxbfN5wpQ6l-YXBe0maWBeOXICIsFep51J2_g0yP9Vh9mIEojIZWBU6oNIR-2X19md0QJ6jnzc997rZnHRNVmiavwq-IQTSjLA8KEqpK1sdKpiz4sSzceSPaFgLqoNvi7vAQNKVJM4f_DpOMUOp7y2iACnW5mpOyI0SPR_bkh-jE2bSqg9WDRwwgfIsumC95rhh2U6Lw5f_vAQRP7XRtAmptloT9pQtp9yTwhNnfAtvH07SkRcPmIIVREMcOkkwwiFUgxqjAugbUXy1gySyg5WPQeWUQiA5okmCl-oOBa9Dt7u7wP_6NEA5Nx_-rmKOxkvRsC2njMvUIk4wgvtoHGJrQK_ikYU-urnlMWfCurp36GjL-aR8RgT-I_I-HY_nHSuEROIZCn8Oex7TQaYO017XlWnGLlZ6Uzxl1kVNrbWesQXY8o5sOp7F5XZ9OIB-PxrrJLeMtOP6bq4ewVPbU3tLBARiQt2awM-IZgd05BxKCuoO2azW2RhAfthmcTUEYMTI4nzSRZp2fX6DbjXjiXGeDr-fj_61JEfcXUa9eiHLZmpFJAXd5RGJ0jWCgwiYJ1hm9ef8A_s2I5e0---bWgTtgZVPExiO4IN6X91g_H1M8bF9pQYt-XoIMDF7hteVOyuyekO0r0xvs76knZaIPMJSuzCi90KhDuRfLcehWGXzpSBm7m145zeL-ZjxbUK2gV8yGfWnf5wEd9IGUdfusBeu7NPTX9vOzLwVCshARgzUJR-TlSKlK0zRVi7PJNG6iukozW6sVTV8PrknKXfdk1c7EWBP0SXvrza1UXmXR2jEzPSZYj1lECtefAldmqoGMtbgySvFFiIcDtEa0sieV7HDSotLtgSkAjcXFb4I_54Bhb8gNV70fO7xVaVlg0qbCGbZPKXLcPBoafBEf_wmBERAAnnMuNxLGzp5qXUI243Hq0JCm_NDnKPLyMvV1fumEKbWQc3puACWy6ErgP203mW15o3PGxOipkG4nlgfEWLe6HwPcaxfCevcM9U_x5bhU4BYzCU5ANLUgzyN9KfmsmxSey75-DBYiqf2hDAWzvtpMBlMFSSA9OWDfFt-8jdlLNUZKfU1w-fkFRDFxRs9M_K9eoStUjUq1PmPCJCw99KxdWqkxDF2ajciEc0HJTVu6Ai2gvmfFqbw; path=/; secure; HttpOnly
status:302
x-powered-by:ASP.NET
x-sourcefiles:=?UTF-8?B?ZDpcUHJvamVjdHNcUG9ydGFsRW5naW5lXFNvdXJjZVxQb3J0YWxFbmdpbmUuV2ViXHNpZ25pbi1taWNyb3NvZnQ=?=
from aspnetkatana.
We recently upgraded to v3.1 the MSA nuget. For few of the Older Apps Sign-In flow is broken. New apps created using apps.dev.microsoft.com is working. Here is the request and response logs from the broken app.
curl "https://login.live.com/oauth20_authorize.srf?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ^&login_hint=samirsolanki^%^40outlook.com^&ui_locales=en-US^&display=touch^&uaid=d3a4a0de99d744339898b660532a5508^&issuer=mso^&tenant=common^&msproxy=1" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: CkTst=G1493470936131; wlidperf=FR=L^&ST=1493470940958; MSPAuth=3rcTqA3RTEXtqfBqjPM8lsSkPuz9tZs1HAHUTqZYBh5uKl7PjdvpvgmckfUgkDgZfBpxYtxnt9iPPZn4ylST271**t7tSow5Wzlg2I804HqjX2MNCWvKcfCfcRuKDeJfpTrG7yf^!I477uPzvUZ63paw^$^$; MSPProf=3WWv^!ZPV9HHtU5OesKp9ZidFWfB35ng5QCBj3XypRgqlAKCP7vU8WLFmRhIiYD8nefO1QBBq^!6Wwh8tTd0js0bpo9pxFrlWHLi8EWz0YCz^!9hgEBojpwpiedcdyt^!AhyH^!VzflWXlt7wcJF4euKjSQY9i9Gq1GRI84dmogEEtKWxlNaxZhPIdCvPLAxrhUsg67BdEEUUjJrUEpAOedjuVYHkOZWdEJ1; MH=MSFT; NAP=V=1.9^&E=135d^&C=rBC8b6WAw4Ya8XSL46FWW5pmXq8BBsLfjpH81TAeHxXJX1RBMTcb7w^&W=1; ANON=A=48F68EFA3850702622159956FFFFFFFF^&E=13b7^&W=1; LOpt=0; WLSSC=EgAxAgMAAAAEgAAADAABZbRSsEMxqH6HSpRNFBSjcvvZFgiGHKCwblLui9cIkXaBVmb2LfFWpuljc4x+pPzopICUHItQSFOc7w2DbhyvuAVdwhUlBzLK0bi5OitejDhgrwRB43Fbr8FMcIGLYazWjnMFXEzAjADtB8Qf2vABUF6co8880s57Td+yUIQXoRNTznqtTwI5wWpVCmUkM9ox11n0hF8Iq0L/RwXoqlimqR3gSO1bpuVyMlJeP6p8ELheMSax+bKNJuge4Dyr1PIhxWfm2E8aB9mBtMMlrit4aPysZlvWdLQsiwvK9NMyf+p0KBe3tGMqQJrVrvH2J8eCuNcYRA8UFxvGEXL2KBLJniABdAAgAf5/AwDvPEm33Y4EWd2OBFkQJwAAChCgACAZAHNhbWlyc29sYW5raUBvdXRsb29rLmNvbQBkAAAlc2FtaXJzb2xhbmtpJW91dGxvb2suY29tQHBhc3Nwb3J0LmNvbQAAAFdVUwAFOTgwMDcAAIwBQAkCAAB2Y21AEAZDAAVTYW1pcgAHU29sYW5raQRfAAAAAAAAAAAAAAAAAAAAAHNtVasIbPlDAADdjgRZ3TV7WQAAAAAAAAAAAAAAAA8AMTMxLjEwNy4xNTkuMTAABQEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAG1Befi827MFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; MSPPre=samirsolanki^@outlook.com^|086cf943736d55ab^|^|; PPAuth=CVbpD4nZQuKFWFc31ShtBDZNu122KOHs6UOKaLO^!X^!IEXfBI7aGprHX1nXktlNxDcAID1KAmIoZrE88QS45xauIFNiLWrbMkpaIo2FAvTrN3J9oz5gBE8NwdKHo1mFmSfYFsH2JgjFQPiaEtUkOKWYk5SxZmX9s4MQbkKP6l^!sulwTI0xbI*^!^!rbI**eAYIwbVkt4Se^!8vowGR1iNiwBTgAzMApmPY8B7KlIomOfp9Nxq^!YfwG01weZjkJAE1tv7dcAQofGvYE^!RmGcSd9p96^!CONC5T2PGB^!T78vN5nHqHWhMhq7meJg8Xbdhew^$^$; PPLState=1; MSPCID=086cf943736d55ab; WLOpt=credtype=1^&act=^[1^]; SDIDC=CdKgcbj0NG2ElT56GMk7F8MxaHZfFpXzQPZGSB8NA8yzeC2ROI6rDP^!oq0NuaFA4JyOu4Q2I6mrrk9YAOEbE0pQXB3DkygNK1dLM9IJO5w7DCf7Tz3CW10kRwQj0iukOEOEUrqlLupY2ovpmUHX9Y^$; uaid=d1db34990f3c4d28aade292265368ce1; MSPRequ=lt=1493472485^&id=N^&co=1" -H "Connection: keep-alive" --compressed &
curl "https://apiphany.portal.azure-api.net/signin-microsoft?code=M4037627b-2950-3ddb-cb56-e7966534bb6e^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: __RequestVerificationToken=ofhDFf6csJ-rZbIZD1Ppzhlee-Mwap-VWvidSSA994B0-h_ox9beypDzOGkK0E5jrO_VbGP2sIU4Bere9b-DAWrR64mz6AmOy-zDHLFyU1gc_XONySPrfE098IMV14t1XiUAmvFPrVsihKzrKCj0Dg2; .AspNet.Correlation.Microsoft=1i0UzWxMpFlfIadNdf-SnXsnJdqwFsg1AK2sWxsoyCI" -H "Connection: keep-alive" --compressed &
curl "https://apiphany.portal.azure-api.net/signin-callback?provider=Microsoft^&error=access_denied" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: __RequestVerificationToken=ofhDFf6csJ-rZbIZD1Ppzhlee-Mwap-VWvidSSA994B0-h_ox9beypDzOGkK0E5jrO_VbGP2sIU4Bere9b-DAWrR64mz6AmOy-zDHLFyU1gc_XONySPrfE098IMV14t1XiUAmvFPrVsihKzrKCj0Dg2" -H "Connection: keep-alive" --compressed &
from aspnetkatana.
I am facing the same issue in my ASP.NET MVC projects after update the Microsoft.Owin.x nuget packages from v3.0.1 to v3.1.0.
I have opened this question on ASP.NET forum but no fix solution until this moment:
ASP.NET MVC 5 - Microsoft Account OAuth2 sign-on stop to work after update the Microsoft.Owin packages from v3.0.1 to v3.1.0
from aspnetkatana.
I am also facing this issue. I can't get the MS account auth to work even with no scopes. Whenever the client returns to the /signin-microsoft
endpoint it redirects and returns the access_denied
error. I've taken a look at the Katana.trace.log and see the following:
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=13864
DateTime=2017-06-16T06:00:23.0808494Z
That doesn't make sense - I cannot see any 400 errors (looking at fiddler all I see is 200s then 302s - in fact I can even see a 302 with /signin-microsoft?code=blah-blah
so it looks like it should work!) until it redirects back to my GetExternalLogin page - then it's just the unhelpful access_denied
error.
Is there any way I can see more of what's happening under the hood to find out the actual error? Or does anyone have any suggestions as to how to make this work? Thanks!
from aspnetkatana.
The 400 is happening on the backchannel. The server/middleware sends requests to microsoft to exchange the code and to get user information. To capture that traffic you can use a network level tracer like Message Analyzer https://www.microsoft.com/en-us/download/details.aspx?id=44226.
from aspnetkatana.
Hello
I have the same issue described in this topic. I used the workaround for email retrieve using "userPrincipalName" and it works. Still, I encounter another problems when having a gmail account which is linked to the Microsoft account(first gmail account is created). In the previous version (3.0.1) the provider was Google and now the provider is Microsoft (claims.Current.OriginalIssuer). The username(urn:microsoftaccount:name) in this case is not filled though the firstname and lastname are set in the Microsoft account:
2017-06-20T06:37:53 PID[9784] Information http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier c8XXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
2017-06-20T06:37:53 PID[9784] Information urn:microsoftaccount:id c8XXXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information urn:microsoftaccount:name
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:@odata.context https://graph.microsoft.com/v1.0/$metadata#users/$entity
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:givenName
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:surname
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:id c8XXXXXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:userPrincipalName [email protected]
Is there
from aspnetkatana.
This should be easy to work around by directly extracting "userPrincipalName" from the JObject User on the context.
Could someone please clarify where I should be extracting the userPrincipalName
? I'm currently doing it in the overridden Authenticated
method of the custom Provider
in my MicrosoftAccountAuthenticationOptions
but that code doesn't get hit before I get an error...
from aspnetkatana.
I do not know if following is the correct way of doing it, but it works for us. We just wanted the email address
var ms = new MicrosoftAccountAuthenticationOptions
{
AuthenticationType = "Microsoft",
SignInAsAuthenticationType = signInAsType,
ClientId = MSID,
ClientSecret = MSSecrete,
Provider = new MicrosoftAccountAuthenticationProvider
{
OnAuthenticated = (context) =>
{
//#48
var email = context.User["userPrincipalName"];
if (email != null)
{
context.Identity.AddClaim(new Claim("email", email.ToString()));
}
return Task.FromResult(0);
}
}
};
app.UseMicrosoftAccountAuthentication(ms);
from aspnetkatana.
Thanks @ShenglinGuo
I've just attempted to do it that way but, unfortunately, the OnAuthenticated
code is never hit :(
I'll have to see if I can see any errors in the backchannel using Message Analyzer - that thing is confusing!
from aspnetkatana.
Turns out I had missed that the API has been updated (and v3.1 must use that updated version). Once I signed up for a new app account (https://apps.dev.microsoft.com) then it worked for me, with the workaround (haven't tried without).
It would be nice if it gave a more helpful error message. I spent days troubleshooting it and trying different approaches. It seems odd that it all works right up until the last step (i.e. you can get to the MS page and login without any kind of indication that you're using a v1 app on the v2 connection) - I think that was why it took me so long to realise. It really should produce an error earlier. Also would be nice if there was more documentation or some kind of notice letting users know that v3.1 uses the new API.
from aspnetkatana.
@psillar it may work for you if you're not trying to extract email information, that part doesn't work.
from aspnetkatana.
Oh, with the workaround it works for me - I get the email information that way or am I missing something?
from aspnetkatana.
Hi @psillar, I just tried it but it's not working for me, just to be sure, can you go to your bin folder and locate Microsoft.Owin.dll then right click it --> properties --> details --> file version - do you have 3.1.60405.82 ?
from aspnetkatana.
Hi @YovavGad, yes that's the version I'm using. I do the email capture a bit differently, however:
var email = context.User["userPrincipalName"];
if (email != null)
context.Identity.AddClaim(new Claim(ClaimTypes.Email, email.ToString()));
from aspnetkatana.
This is what I was trying but my email comes out empty...
from aspnetkatana.
Ok, when I created the app credentials in apps.dev.microsoft.com I selected the 'email' Delegated Permission under Microsoft Graph Permissions. I'm not sure if that makes a difference?
from aspnetkatana.
So, what's the deal with this? I'm having some trouble making this work at the moment - my request is being sent back to path /#error=access_denied.
This seems to happen after the execution of the OAuthAuthorizationServerProvider library where I call context.Validated(), but before it ever hits my WebApi code. I tried the OnAuthorized function as suggested by psillar and ShenglinGuo, but it doesn't seem to ever get called.
EDIT: Problem ended up being, ultimately, that I had to request User.Read, openid, email, and pull the email from that userPrincipalName, like psillar and ShenglinGuo suggested. Took downloading, compiling, and debugging into source to work that one out, but confirmed working on my app using the 3.1 version of the code/Nuget.
from aspnetkatana.
from aspnetkatana.
Hi @Tratcher
This issue is still reproducible after update the Microsoft.Owin.Security.MicrosoftAccount package of my visual studio project to v4.0.0-alpha1.
Do you think that we should open other issue for tracking it?
Here are more details about this issue:
ASP.NET MVC 5 - Microsoft Account OAuth2 sign-on stop to work after update the Microsoft.Owin packages from v3.0.1 to v3.1.0
Thanks in advance,
Luciano
from aspnetkatana.
I have open the new issue #112 for tracking it.
from aspnetkatana.
What is the uaid?
from aspnetkatana.
Related Issues (20)
- Could not load file or assembly Microsoft.Live.Base exception HOT 3
- Unauthorized error 401.0 for Asp.net mvc site with IIS anonymous authentication HOT 8
- /signin-oidc is not found HOT 7
- 'OwinStartupAttribute' is inaccessible due to its protection level HOT 3
- GetExternalLoginInfoAsync() return null for facebook only HOT 6
- Having vulnerabilities on Microsoft.Owin.Security.OpenIdConnect, 4.2.2 HOT 2
- ClockSkew Ignored by OAuthBearerAuthenticationHandler HOT 2
- Requests are run on IOCP threads by default in OwinHttpListener HOT 5
- Attempt to access method System.Management.Instrumentation.InstrumentedAttribute..ctor(System.String) in violation of security transparency rules failed. HOT 2
- Question: Why does the 4.2.2 package specifically require .NET Framework 4.5? HOT 2
- System.NullReferenceException: Object reference not set to an instance of an object HOT 9
- App redirects to different Auth Type refresh token URL. HOT 4
- Strange behavior on port 50000 for Owin self hosting.... HOT 8
- OpenIdConnectProtocolValidator cannot validate state HOT 4
- Should OIDC middleware be refreshing a `code id_token` when close to expiry? HOT 3
- Session in ASP.NET WebForm is cleared after authenticated by Entra ID with CookieAuthentication and WsFederationAuthentication HOT 2
- Always a object reference error when trying to host a webapi in owin self hosted HOT 3
- owin.RequestId always empty guid string HOT 3
- Microsoft.Owin.Security.WsFederation has a vulnerable Newtonsoft.Json package dependency HOT 10
- how do you remove additional query parameters HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aspnetkatana.