An ASP.NET Core Web App which lets sign-in users (including in your org, many orgs, orgs + personal accounts, sovereign clouds) and call Web APIs (including Microsoft Graph)
License: MIT License
[x] documentation issue or request
N/A
N/A
N/A
Windows 10
Latest
The documentation of this sample is point. The middleware is triggered when you launch the application for this sample. It would be good to see an implementation of how to trigger the middleware on the press of a button similarly to this link (https://docs.microsoft.com/en-us/azure/active-directory/develop/guidedsetups/active-directory-aspnetwebapp-v1) but for .net core. Thanks
Sample, in a Razor project, to login to Azure B2C with asp.net core 2.1 and latest identity client to read the token.
Windows 10
The link below is defined.
https://localhost:44321/signin-oidc
However, HomeController doesn't define this method, and the url returns error when visited.
Questions
1 In code, how does it get redirected to https://login.microsoftonline.com/ when the url below is visited?
https://localhost:44321
2 The url below is not working as mentioned above, how is it possible for it to display content?
https://localhost:44321/signin-oidc
Is it possible to authenticate using Resource Owner Password grant type with AD?
If so, can anyone provide links or info?
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Please add an 'x' for the scenario(s) where you found an issue
Repro steps
I'm following along in the 1-1-MyOrg project.
When I deploy to dev.azure.com the Build solution ***.sln step fails with
Error MSB3202: The project file "D:\a\1\s\aspnetcoretutorial\webapp\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj" was not found.
My solution contains the two projects Microsoft.Identity.Web which is referenced by the WebApp-OpenIDConnect-DotNet project.
Here is the sln file:
Microsoft Visual Studio Solution File, Format Version 12.00
VisualStudioVersion = 16.0.29020.237
MinimumVisualStudioVersion = 10.0.40219.1
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WebApp-OpenIDConnect-DotNet", "aspnetcoretutorial\webapp\1-WebApp-OIDC\1-1-MyOrg\WebApp-OpenIDConnect-DotNet.csproj", "{016D21EC-DDAA-4C32-8C48-5BA3A6155D84}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Web", "aspnetcoretutorial\webapp\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj", "{7427E143-B78C-4E4C-B94F-D78B12FD0598}"
EndProject
...
Here is the azure-pipelines.yml:
trigger:
pool:
vmImage: 'Ubuntu-16.04'
variables:
buildConfiguration: 'Release'
steps:
And finally here is the Visual Stuido build step:
#Your build pipeline references an undefined variable named ‘Parameters.solution’. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab. See https://go.microsoft.com/fwlink/?linkid=865972
#Your build pipeline references the ‘BuildPlatform’ variable, which you’ve selected to be settable at queue time. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab, and then select the option to make it settable at queue time. See https://go.microsoft.com/fwlink/?linkid=865971
#Your build pipeline references the ‘BuildConfiguration’ variable, which you’ve selected to be settable at queue time. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab, and then select the option to make it settable at queue time. See https://go.microsoft.com/fwlink/?linkid=865971
steps:
x)- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
When trying to authenticate via an app that is not multitenant, and which in my case restricts the users that can sign in to only one tenant (which I specified already as TenantId in the appsettings.json) an MsalException is thrown.
AADSTS50194: Application '[GUID]' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
Trace ID: 4a7a6b33-61b6-45fa-a3db-eb7cc3660f00
Correlation ID: d5b01030-e720-4331-ad42-45602ca6a74c
Timestamp: 2018-12-08 12:53:39Z
This should work without any hickups since the appsettings.json file was configured correctly and the code seems to be correct.
Windows 10
Branch aspnetcore2-2-signInAndCallGraph
Looking closer into the code, it seems that the ConfidentialClientApplication instance created in TokenAcquisition.cs line 117 does not take into account the possibility that the Authority parameter might be different than the [common] value. If taken into consideration (using appsettings.json Instance+TenantId value) the error will not appear.
Please provide us with the following information:
x)- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Please add an 'x' for the scenario(s) where you found an issue
It appears that token caches are never cleared entirely. I have marked this issue as related to 2-1-Call-MSGraph, but the issue is really with the token caches in general (2-1 is just the first using a cache) or perhaps TokenAcquisition.
In TokenAcquisition.RemoveAccount, we invoke
this.UserTokenCacheProvider?.Clear(account.HomeAccountId.Identifier);
await app.RemoveAsync(account);
However, app.RemoveAsync results in UserTokenCacheAfterAccessNotification being invoked with correct AccountId but an almost empty token cache, resulting in the token cache being persisted again with a useless token!?
Repro steps
Simply run 2-1 with breakpoint in Clear and UserTokenCacheAfterAccessNotification, and then log out.
Expected behavior
Tokens are deleted on logout
Actual behavior
(nearly) Empty token remains
Possible Solution
I believe the two method should be invoked in reverse order, or we need some way to identify these "empty" tokens in the cache providers, so that we can avoid persisting them.
x)- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
There is an infinite loop
you can see the information about the signed-in user
Chrome
When calling the controller, the cache is empty. This is because the cache is keyed by the MSAL.id, and the computation of the MSAL.id is not right in the case of a guest user (tid and iod are the guest ones, not the home tenant information).
I have a question related to the cacheprovider implementations and scopes.
The sample library includes a number of XXXTokenCacheProvider implementations, e.g., MSALAppSqlTokenCacheProvider. None of these consider scopes when defining a cache key, and I have been wondering if that is the intended "MSAL-way" of doing it.
Consider this case:
I would like for my Web App to access two different APIs using the on-behalf-of flow.
To this end, I acquire an access token for the first API using scope "A" via ITokenAcquisition.GetAccessTokenOnBehalfOfUser, caching it in the process. Then, I acquire an access token for the second API using scope "B", again using ITokenAcquisition.GetAccessTokenOnBehalfOfUser but with the new scope. This results in a cache-hit returning the old token for scope "A" ... which I expect would result in an error if sent to the second API.
I realize that we pass the scope along when invoking GetAccessTokenOnBehalfOfUser , which means it would be possible to compare scopes in the request and the cached token, and get a new token in case the existing token lack some of them. However, I cannot find such a comparison anywhere in Microsoft.Identity.Web nor in Microsoft.Identity.Client.
The question then is this: How is the situation above resolved, such that the second token contains the second scope? It will accept "somewhere in Microsoft.Identity.Client" as an answer :)
I also realize that I could request both scopes initially, but the use case detailed above should be supported, right?
Hello,
We are getting this error ": No account or login hint was passed to the AcquireTokenSilent call
when calling var users = await graphClient.Users.Request().GetAsync();
Error Details :
at Microsoft.Identity.Client.AcquireTokenSilentParameterBuilder.Validate()
at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder1.ValidateAndCalculateApiId() at Microsoft.Identity.Client.AbstractClientAppBaseAcquireTokenParameterBuilder1.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder1.ExecuteAsync() at Microsoft.Identity.Web.Client.TokenAcquisition.GetAccessTokenOnBehalfOfUser(IConfidentialClientApplication application, String accountIdentifier, IEnumerable1 scopes, String loginHint, String tenant) in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\Microsoft.Identity.Web\Client\TokenAcquisition.cs:line 372
at Microsoft.Identity.Web.Client.TokenAcquisition.GetAccessTokenOnBehalfOfUser(IConfidentialClientApplication application, ClaimsPrincipal claimsPrincipal, IEnumerable1 scopes, String tenant) in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\Microsoft.Identity.Web\Client\TokenAcquisition.cs:line 342 at Microsoft.Identity.Web.Client.TokenAcquisition.GetAccessTokenOnBehalfOfUser(HttpContext context, IEnumerable1 scopes, String tenant) in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\Microsoft.Identity.Web\Client\TokenAcquisition.cs:line 180
at WebApp_OpenIDConnect_DotNet.Controllers.HomeController.<>c__DisplayClass5_0.<b__0>d.MoveNext() in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\5-WebApp-AuthZ\5-1-Roles\Controllers\HomeController.cs:line 63
--- End of stack trace from previous location where exception was thrown ---
at WebApp_OpenIDConnect_DotNet.Services.CustomAuthenticationProvider.AuthenticateRequestAsync(HttpRequestMessage request) in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\5-WebApp-AuthZ\5-1-Roles\Services\GraphServiceClientFactory.cs:line 30
at Microsoft.Graph.AuthenticationHandler.SendAsync(HttpRequestMessage httpRequestMessage, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at Microsoft.Graph.HttpProvider.SendRequestAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Please add an 'x' for the scenario(s) where you found an issue
Repro steps
Expected behavior
Actual behavior
Possible Solution
Additional context/ Error codes / Screenshots
Add any other context about the problem here, such as logs.
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
of ASP.NET Core, of MSAL.NET
Thanks! We'll be in touch soon.
Customers can be confused on how to debug web apps. Here we want to go through:
To help debugging the Web App and Web API you could enable:
See also
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/PII
// Since IdentityModel version 5.2.1 (or since Microsoft.AspNetCore.Authentication.JwtBearer version 2.2.0),
// PII hiding in log files is enabled by default for GDPR concerns.
// For debugging/development purposes, one can enable additional detail in exceptions by setting IdentityModelEventSource.ShowPII to true.
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
```
2. put breakpoints in the `JwtODICMiddlewareDiagnostics` class (or the `OJWTMiddlewareDiagnostics` class in the Web API)
```CSharp
// If you want to debug, or just understand the JwtBearer events, uncomment the following line of code
options.Events = JwtBearerMiddlewareDiagnostics.Subscribe(options.Events);
```
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Any
Any
For me it is absolutely unclear how to implement APIs right now. Right know I would say the documentation is a big pain for me.
Our scenario is an internal single page application. This SPA communicates with different internal ASP.NET Core APIs.
So we only have internal users and we only have internal applications. We dont need any challenge to ask the user for consent.
We already spent over two weeks in the documentation and in samples. We found a lot of obsolete stuff in the docs, referenced to archived GitHub repos and samples with obsolete NuGet Packages.
At the end my question is still: what is the correct configuration of an internal API-based system, without consent? :-)
We dont want so show 17 consents because we have 17 applications to internal users.
I also tried to migrate this sample into a API.
But I always run into the event OnRedirectToIdentityProvider, but I dont know why.
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
run multiorg dotnet CLI command to generate project.
Creates wrong appsettings.json
Should use multiorg.
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
N/A
Line #50 of ReadMe file
Thanks! We'll be in touch soon.
x)- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [x] regression (a behavior that used to work and stopped in a new release)
Please add an 'x' for the scenario(s) where you found an issue
Add security groups claim to an app registration
"groupMembershipClaims": "SecurityGroup"
Login with a user with many groups (in my case 120 including nested groups)
(Cookie 6 chunks #toomany)
Connection is not secure after logging in and being redirect to the site.
When the groups claims are to large for the header they should be removed.
I don't know if this should be done in AzureAD or in the Microsoft.Idenitity.Client or Microsoft.Identity.Web.
In previous situations there was a claim with the value getMemberObjects when the user had too many groups. In this situation you should get the groups trough the Graph API.
Windows 10 & Azure Web App
x)- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Following steps in
https://azure.microsoft.com/en-gb/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/
Download active-directory-dotnet-webapp-openidconnect-aspnetcore
Change Domain,TenantId & ClientId in appsettings.json
Run application = Works
Download active-directory-aspnetcore-webapp-openidconnect-v2-aspnetcore2-2
Change Domain,TenantId & ClientId in appsettings.json
Run application = Fails
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '9999999-9999-9999-9999-999999999999'.
In https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/aspnetcore2-2/README.md, there is an aside to
(see the
AccountController.csfile)
This file does not exist on this branch.
The instructions provided in the landing page do not match the current UI for the Azure Portal. For example, step 5:
In the list of pages for the app, select Authentication.
In the Redirect URIs, add a redirect URL of type Web and valued https://localhost:44321/signin-oidc
In the Advanced settings section set Logout URL to https://localhost:44321/signout-oidc
In the Advanced settings | Implicit grant section, check ID tokens as this sample requires the Implicit grant flow to be enabled to sign-in the user.
There is a Redirect URI section, I think, but it's called Reply URLs, and the interface does not match the description there, either.
This ongoing disconnect between the state of the released Azure Portal and virtually all of GitHub and Microsoft documentation is both annoying and disturbing. Annoying because it makes the learning curve much steeper than it should be, and disturbing because it smacks of an approach to software development that has abandoned even a reasonable degree of quality control. Frankly, the level of disconnect in evidence is far higher than almost any other open source code base I deal with...and I had sort of hoped that Microsoft, and Microsoft-led projects, would demonstrate a commitment in these areas higher than the norm, not below it.
How about showing us how you created the Visual Studio Solution itself or am I missing something? What the community really needs is an example that demonstrates how to create an Web Application in Visual studio and get it to authenticate with oAuth, then finally adding RBAC to that sample application as well. Downloading an already created Web Application = "magic " in order to make this stuff work
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
two questions:
Where is the "AccountController" with Area "AzureAd" and "SignOut"; how do we change the logout path?
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
Thanks! We'll be in touch soon.
if(issuerValidators.ContainsKey(aadAuthority))
Will always be false because aadAuthority is the full Uri path and not just the host. Assuming the issuer should be unique based on the full Uri path the Key should contain the full Uri path when calling: issuerValidators.Add(authority, issuerValidator);
Account controller from Microsoft.AspNetCore.Authentication.AzureAD.UI is not routable in Razor Components Preview 3.
Steps to reproduce the behavior (this is not to setup a working app with AzureAD authentication):
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => configuration.Bind("AzureAd", options));
System.InvalidOperationException: 'Router' cannot find any component with a route for '/AzureAD/Account/SignIn', and no fallback is defined.
at Microsoft.AspNetCore.Components.Routing.Router.Refresh() ...
It should be possible to navigate to 'AzureAd/Account/SignIn' and 'AzureAd/Account/SignOut' from within Razor Components web application.
The sample was working correctly in Razor Components Preview 2 application.
The routing breaks after updating the sample to ASP.NET Core 3.0 Preview 3, especially replacing
app.UseRazorComponents<App.Startup>();
with
app.UseRouting(routes =>
{
routes.MapRazorPages();
routes.MapComponentHub<App>("app");
});
in Configure() method of Startup class.
It seems the new router only allows routes defined by Razor Components pages.
AccountController needs to be registered in the new routing pipeline.
x)- [X] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
application.GetAccountAsync(accountIdentifier) returns null and as such a MsalException is thrown saying that the account cannot be null when calling AcquireTokenSilentAsync
Error thrown at line 281
should work as with nuget package Microsoft.Identity.Client 2.3.1-preview (in this one there is no exception)
Windows 10
Branch aspnetcore2-2-signInAndCallGraph with nuget package Microsoft.Identity.Client 2.5.0-preview
I am developing .net core 2.2 application. I would like to get the user's first name in the _LoginPartial.cshtml in RAZOR web app. I am able to get the user's surname and email but not the first name. Is there away to get this?
This is what i have in my login partial view:
Claim nameClaim = User.Claims.FirstOrDefault<Claim>(claim => string.Compare(claim.Type, "name", StringComparison.Ordinal) == 0);
string userName = (nameClaim != null) && !string.IsNullOrEmpty(nameClaim.Value) ? nameClaim.Value : ((User != null) && (User.Identity != null) ? User.Identity.Name : string.Empty);
Also i tried this:
@User.FindFirst(System.Security.Claims.ClaimTypes.GivenName).Value
The given name claim returns the email address the same as name and email properties!!
What would be the ideal way to get the first name by extending the identity model in asp.net?
Please provide us with the following information:
x)- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
I have this project working fine locally without any changes. However, I'm trying to host this application in an AKS cluster, and after logging in i'm getting an error. I've tried added any URLs i could think of to the redirect URL, but none are working.
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application
Login and redirect to home page as is done locally
Windows 10 - Azure AKS
I was trying to use this to authenticate users into my application when hosted in AKS. Is there a better practice?
I'm not able to capture the request_url via network traffic. But it appears the base url is http and not https. I'm unable to add http urls to app reply urls
Thanks! We'll be in touch soon.
x)- [X] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Please add an 'x' for the scenario(s) where you found an issue
Windows Server
ASP.NET Core 2.1.1
Hello, i'm here to seek help about a problem I Have with an 1-WebApp-OIDC/1-1-MyOrg derivated application. I try to execute it on a server behind a reverse proxy.
The reverse proxy listen HTTPS request but forward the request to the app as HTTP, so when the app try to call azure API it have http://example.com in request_uri parameter instead of https://example.com, so I have the error message "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application".
As you know, we can't set an HTTP domain in AzureAD reply URLs.
I tried to force https by writing request.scheme or editing Microsoft.Identity.Web/Client/TokenAcquisition.cs line 269 by forcing https; but neither works.
Did you have an idea how to fix this ?
Thanks
Is it possible to detect if an account is sovereign, and then redirect the URL/host to a node that is running in the same environment?
E.g. If my global server is "GlobalRelyingParty.com", and I have something deployed in "GermanyRelyingParty.com", then I would 302 redirect (or something) to that instance. Similar behavior would occur in the opposite direction for a global user who mistakenly uses the Germany(perhaps default) provider.
It seems to be similar to the discovery process used for LiveID -vs- AAD, where there is a background JSON lookup that occurs in the MSAL login flow
I followed the instructions on link below
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2
Use Option 1 of Step 2
When I run the app locally, I can select my azure account to login, however, I got the error below after that:
The url: https://login.microsoftonline.com/common/reprocess?ctx=xxxxx ....
Need admin approval
ADPdaSsoWebApp
ADPdaSsoWebApp needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
Why do I need admin to grant access? Is there a way around?
- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Windows 10 / Azure App Service (as of 11/12/2018)
.NET Core 2.1.403
aspnetcore2-2-signInAndCallGraph (as of 11/12/2018)
Decoding the cookie and printing it on the web browser console, it looks like the server is accidentally using the cookie as the store for the TokenCache. For example, when the second person logs in, and I decode their cookie, I find both users' latest tokens in the JSON graph in the cookie.
Furthermore, when this happens, and the cookies in the header are not too large, IIS seems to see that something is amiss and will not serve the page and not give an error. (Are the cookies being encrypted or tracked with infor from the current user?)
Kestrel, however, will serve the page.
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
all
Repro steps
Open one of the sub-folders of the ASP.NET Core tutorial
Observe that the name of all the solutions is the same
Run the App creation scripts
Observe that they create the same app, and therefore there are collision
Expected behavior
Each Visual Studio solution, and each application as generated by the app creation scripts should have its own name, so that customers can switched from one to the other
Actual behavior
Observe that the name of all the solutions is the same
Observe that the name of all the solutions is the same
Possible Solution
Have a solution name and app name after the name of the folder
Hi,
I'm working through the example and receive the following when running. I updated the TenantID, ClientID, and Domain to match the example tenant. I'm working behind a corporate http proxy , could this be related or should I look elsewhere? If so, is there a way to set proxy flags in this example
'One or more errors occurred. (IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/common/discovery/instance?authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize&api-version=1.1'.)'
the exception occurs on AadIssuerValidator: 74
IssuerMetadata issuerMetadata = configManager.GetConfigurationAsync().Result;
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
I'm looking to extend this behavior to call a web API i created and hosted in azure. You allude to how this can be done, but what i've done is not working. Could you provide a guide on how to do that? I've created a default web api that is protected to my organization. It has an exposed scope. I gave access for this application to call the API with a secret key. I tried updating the scope to be the same as the exposed api, but i'm getting errors that my scope is invalid. I expected after granting access to the API, i would get another accept permission dialog
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope user_impersonation openid offline_access profile is not valid. The scope format is invalid. Scope must be in a valid URI form https://example/scope or a valid Guid <guid/scope>.
Able to call a protected web api
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
Thanks! We'll be in touch soon.
x)- [ X ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
If I restart my app service I can log in just fine. Over time though when I visit the website I'm prompted for my credentials, I authenticate, then the page redirects back and forth between the 'authorize' endpoint at login.microsoftonline.com and my own signin-oidc endpoint. It does this for about 1 minute then stops.
No log messages that I can see at all other than when the login loop times out (after 1 minute) I get "We couldn't sign you in".
Windows 10 dev machine. Remote server is running in Azure under an app service plan.
.NET Core 2.2
Thanks! We'll be in touch soon.
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Configuring per the documentation causes a localhost debug run to fail during authentication
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
The README.md under the section "Step 1: Register the sample with your Azure AD tenant" states port 5000. The actual configuration in Properties/launchSettings.json is using port 3110.
I considered making the change and creating a PR, but didn't know which port number you would like to use. Let me know and I can make this change.
Thanks! We'll be in touch soon.
Please provide us with the following information:
x)- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Follow all steps to register the app provided in Azure QuickStart.
Try to login with safari and chrome from iphone results in a infinite loop.
None
Successful login
IOS 12
12.1.4
None of the supplied fixes work:
aspnet/AADIntegration#52
https://hajekj.net/2018/08/31/beware-of-samesite-cookie-policy-in-asp-net-core-and-upcoming-ios-12/
Thanks! We'll be in touch soon.
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Please add an 'x' for the scenario(s) where you found an issue
Click on the link in this paragraph:
"This is the fifth chapter of a set of tutorials. Once you understand how to receive the group memberships in a user's claims, you can try the sample Add authorization using app roles & roles claims to an ASP.NET Core Web app thats signs-in users with the Microsoft identity platform to learn about how to use the App roles in an app using the Microsoft Identity Platform to authenticate users."
This text in the above paragraph
"Add authorization using app roles...with the Microsoft identity platform"
links to
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ-Roles
which results in a 404.
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [w ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
As reported by @negoe, we need to change in all the README.md, the order of step2 with step 1, i.e. making this one first Download/ Clone this sample code or build the application using a template” and then Register the sample with your Azure AD tenant to avoid confusion for developers
After hosting the given sample code by configuring the AAD, the normal authentication flow is working fine, when we type the URL in the browser window directly.
But, When we open the application URL from the Microsoft Word, getting the exception: Correlation failed.
Below are the steps to reproduce the issue:
Raw Exception Details:
System.Exception: Correlation failed.
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Session.SessionMiddleware.d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.AspNetCore.Session.SessionMiddleware.d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.d__7.MoveNext()
When logging out of the web app, I'm still getting the account selection screen even though the login_hint parameter is in the URL with the correct value. How do I skip the account selection screen and log out right away?
I apologize for asking this here, but I've been struggling with this for quite a while and have asked on StackOverflow and have gotten nowhere :(
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ x] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Windows 10
So I would like to scaffold the AccountController to be able to check if the logged user through Azure AD exists in my local database and create it if not. I woulk like to integrate my local user database with Azure AD. Thanks!
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [X ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
When I try change in the project the URL redirect in Application Registration Portal. I Receive Error don't match the URL Redirect.
The text of the message is the next= "Message: AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '...'."
I have My project but I need integrate this with Microsoft Authentication.
Windows 10
Enterprise
I was working with Visual Studio 2017 and .Net Core 2.0
Thanks! We'll be in touch soon.
This is more of a suggestion. I'm pretty sure I'm not the only one who would appreciate if the reusable library project Microsoft.Identity.Web was available as a NuGet package.
That way we can easily keep up with any updates/fixes that you do!
Thank you for considering this!
It was available some days ago, but now App Registration (Preview) is missing from AzureAD administration, how can I work around it?
x)- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
the test should be on the tenant ID, whereas the jwtToken is tested again.
This issue was originally raised by @goofybryan in another sample: See Azure-Samples/active-directory-dotnet-native-aspnetcore-v2#18
I am configuring options for AAD Implicit Grant flow in a similar way like was for 2.0:
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
// ADD "oauth2AllowImplicitFlow": true into Azure App manifest
options.ResponseType = "token id_token";
options.Resource = "3d7dsrh4-c97j-4c47-3f74-0e74c34675sd";
options.SaveTokens = true;
options.ClientId = Configuration["AzureAd:ClientId"];
options.Authority = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}";
options.UseTokenLifetime = true;
options.CallbackPath = Configuration["AzureAd:CallbackPath"];
options.RequireHttpsMetadata = false;
But revieving AADSTS90100: The 'resource' request parameter is not supported.
I can set instead of Resource:
options.Scope.Add("openid");
options.Scope.Add("profile");
But in this case token is not valid. And I can't specify 3d7dsrh4-c97j-4c47-3f74-0e74c34675sd GUID
Please provide us with the following information:
x)- [x] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Please add an 'x' for the scenario(s) where you found an issue
First the documentation part
Then the (possible) bug part
Even if the "TodoList:TodoListScope" is added to the service, I get and exception when navigating to the todolist in the client, which seems to indicate that the TodoListService should have a clientSecret configuration, or that AddProtectedApiCallsWebApis is doing something it should not.
Lastly, the TodoListService is configured with both AddProtectWebApiWithMicrosoftIdentityPlatformV2 and AddProtectedApiCallsWebApis. Both of these set JwtBearerOptions.Events.OnTokenValidated, of which the last overrides the first. Is this intended?
x)- [ ] bug report -> please search issues before submitting
- [ x ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
It's about adding a phase 1.5 to the tutorial to show how to sign-in users with social identities or local identities with Azure AD B2C
Go to 1-WebApp-OIDC/1-5-B2C
Expected behavior
A sample is available to explain how to sign-in users to the Web App using Azure AD B2C.
Actual behavior
The directory is empty
Possible Solution
It would be good to:
Note that that sample is a bit old (ASP.NET Core 2.1), and since then, classes such as Azure AD B2C Options, etc ... are available part of ASP.NET Core. (https://github.com/aspnet/AspNetCore/tree/master/src/Azure/AzureAD/Authentication.AzureADB2C.UI/src)
It might be good to:
StartupB2Helper.cs file containing a StartupB2CHelpers class similar to StartupHelpers providing the method public static IServiceCollection AddAzureAdB2CAuthentication(this IServiceCollection services, IConfiguration configuration) which would:services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
..AddAzureAdB2C(options => Configuration.Bind("Authentication:AzureAdB2C", options))Maybe have a new method for the OpenIdConnect code which is the same for AzureAD B2C and Azure AD v2.0 (a lot)
Additional context/ Error codes / Screenshots
Good ideas in the B2C sample should be brought back as well in the AAD tutorial (for instance logging ?)
I followed steps 1 - 3, but got exception when visitinghttps://localhost:44321/signin-oidcafter sign on.
However, when I checked Access tokens option below,
Register your app
Advanced settings | Implicit grant section, check Access tokens
After setting above, https://localhost:44321/signin-oidc is then redirected to https://localhost:44321/.
After this change, it works.
Is it missing the setting above?
Please provide us with the following information:
x)- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Execute the following command:
dotnet new mvc --auth SingleOrg --client-id <client_id>
No failure, but there is no Extensions\AzureAdAuthenticationBuilderExtensions.cs file.
There should be instructions that guide us through the installation with the latest framework
macOS High Sierra (10.3.6)
.NET Core 2.1.401
Thanks! We'll be in touch soon.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.