We are facing 502 bad gateway error on web portal which uses our client Azure App registration settings.
Client provided us the following details with single username / password form their domanin to test SSO
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "XXXXX.co.uk",
"TenantId": "xxxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx",
"ClientId": "xxxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx",
"CallbackPath": "/SignInVerify",
"SignOutPath": "/aad-signout"
}
We deployed website, tested everything using the user provided and all seems to be working for user client provided.
When more user tried to use this website, they get 502 bad gateway erorr but we can still use username/password provided to us without any issue.
Client is large corporate client could have multiple Azure tenant for Azure Active Directory and we don't know their user group structure etc.
What could be the cause of the issue for all user other than the one we can currnetly test/use?
Thank you for your help in advance on this.
Change the configuration to below format :
{
"AzureAd": {
"Instance": "[https://login.microsoftonline.com/"](https://login.microsoftonline.com/%22 "https://login.microsoftonline.com/%22"),
"Domain": "microsoft.onmicrosoft.com",
"TenantId": "xxxxxxxxxxxxxxxxxxxx",
"ClientId": "xxxxxxxxxxxxxxxxxxxx",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath": "/signout-callback-oidc"
},
And also check that you have selected multitenant
Related
I created a new ASP.NET Core 6.0 MVC web application using Visual Studio 2022, and I define it to use Azure AD for authentication, as follows:
Then I was asked to create an owned application, so I created one named "ad" as follows:
Inside my application's appsetting.json I have these settings:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "*****",
"TenantId": "***",
"ClientId": "***",
"CallbackPath": "/signin-oidc"
},
....
}
It seems Visual Studio did all the work for us.
But when I checked the "Certificate & Secrets" in the Azure portal for the generated Azure AD APP, I found that there is not anything assigned:
So now we are going to upload a certificate (.crt file), but i have those questions:-
Now the above ASP.NET Core MVC web application already have SSL certificate bought from Go-daddy, so can we use this certificate also inside our Azure Active directory App ?
Also, after uploading a certificate inside our Azure Active Directory App >> do we need to pass the certificate Thumbprint from our web application ? if the answer is yes, then what i need to do exactly , do we need to modify the Identity platfrom code?
If you used VS to integrate AAD and create resource for you, then the appsettings.json file should look like this. And it's also OK to add configurations manually.
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "xxx.onmicrosoft.com",
"TenantId": "tenant_id",
"ClientId": "client_id",
"CallbackPath": "/signin-oidc",
"ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
//"ClientCertificates": []//I comment this line
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"MicrosoftGraph": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "user.read"
}
}
=============================================================
Firstly, the client secret is used for calling API, for example Ms graph API. Then in this answer, I demonstrate how to integrate Graph API in the APP, then you can get the client secret which is already generated for you.
After finishing all these steps, your project has already set up, going to Program.cs you can see code below, and it already read the configurations including the secret.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
.AddInMemoryTokenCaches();
but you still need to go to appsettings.json to paste the client secret into "ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",. You'd better to comment "ClientCertificates": [] because you are using secret but not certificate.
By the way, the client secret can exist several valid secret at the same time, this is designed for avoid app crash because of secret expired. So you can have 2 client secrets, if one of the secret is about to expire, you can create a new one in Azure AD then paste the secret value into your project. This means, for example, you used the Visual Studio to generate the secret, but you didn't store the secret, you also create another secret manually in Azure portal and use it in your app.
I have been playing with Microsoft.Identity platform and trying to get it to work with the basic templates in aspnetcore 6.0, but I get stuck in an infinite login loop.
I am using projects created from the templates for web app and web api (using these commands "dotnet new webapi --force --auth IndividualB2C" and "dotnet new webapp --force --auth IndividualB2C") and then updated the appsettings in both to connect to my Azure B2C tenant.
WEB APP
"AzureAdB2C": {
"CallbackPath": "/signin-oidc",
"ClientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"ClientSecret": "xxxxx",
"Domain": "xxxx.onmicrosoft.com",
"EditProfilePolicyId": "B2C_1_EditProfile",
"Instance": "https://xxxx.b2clogin.com/",
"SignedOutCallbackPath": "/signout/B2C_1_susi",
"SignUpSignInPolicyId": "B2C_1_SUSI"
},
"DownstreamApi": {
"BaseUrl": "https://localhost:7208/",
"Scopes": "https://xxxx.onmicrosoft.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/user.impersonation"
}
WEB API
"AzureAdB2C": {
"ClientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"Domain": "xxxx.onmicrosoft.com",
"Instance": "https://xxxx.b2clogin.com/",
"Scopes": "https://xxxx.onmicrosoft.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/user.impersonation"
"SignUpSignInPolicyId": "B2C_1_SUSI"
}
After making these changes, I can run the applications and the Web App will attempt to login in through my social accounts then go into an infinite loop redirecting between the login server and the app redirect Url.
I do get a log message that MicrosoftIdentityWebChallengeUserException was thrown (presumably because I need to consent to the scopes). My understanding is that the [AuthorizeForScopes(ScopeKeySection = "DownstreamApi:Scopes")] attribute on the Razor page should handle this consent workflow for me, but it doesn't seem to be doing that.
Is there something additional I need to do in configuring these sample applications or a way to trap the WebChallenge exception (and if so, how do I issue the challenge back to the user)?
I feel like I am missing something obvious here to get this to work, but I cannot seem to find it. Can anyone provide some guidance to get this to work?
Please check if this can narrow down the issue:
Please clear cookies and try again.
AuthorizeForScopes attribute needs the exact scopes in that method. Any incorrect scopes there will result in MsalUiRequiredException .
Try hardcoding the parameters to whatever scopes are required :
[AuthorizeForScopes(Scopes = new[] { "User.impersonation”})]
Try using IExceptionFilter
And add filter in Startup.cs as follows:
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
options.Filters.Add(new AuthorizeForScopesAttribute(new string[] { Scopes:[] }));
})
Please checkout this SO reference
Reference:
active-directory-aspnetcore issues | github
I'm trying to set up Azure B2C for my web site and can never get to the login screen. When I click login on my app I get the following exception:
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/tfp/XXXX.onmicrosoft.com/B2C_1_signupandsignin/v2.0/.well-known/openid-configuration'. HttpResponseMessage: 'StatusCode: 404, ReasonPhrase: 'Not Found'
My config is:
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/tfp/",
"ClientId": "f4a.................................",
"CallbackPath": "/signin-oidc",
"Domain": "XXXX.onmicrosoft.com",
"SignUpSignInPolicyId": "B2C_1_signupandsignin",
"ResetPasswordPolicyId": "B2C_1_passwordreset",
"EditProfilePolicyId": "B2C_1_profileedit"
}
and in my ConfigureServices method in startup.cs I have:
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
As far as I can see everything is set up correctly (e.g. I've checked that the client Id is the correct Application Id) but I always get this error.
Does anyone have any idea as to what is going wrong?
Try appending the policy e.g
?p=B2C_1_signupandsignin
to the URL.
Success. Looks like MS have changed the domain they use for B2C and so the instance is wrong. It should be "https://xxxx.b2clogin.com/tfp/" where the domain is xxxx.onmicrosoft.com
"AzureAdB2C": {
"Instance": "https://xxxx.b2clogin.com/tfp/",
"ClientId": "f4a.................................",
"CallbackPath": "/signin-oidc",
"Domain": "XXXX.onmicrosoft.com",
"SignUpSignInPolicyId": "B2C_1_signupandsignin",
"ResetPasswordPolicyId": "B2C_1_passwordreset",
"EditProfilePolicyId": "B2C_1_profileedit"
}
It was this video that really helped (though I'm sure before too long it will be out of date) -> https://www.youtube.com/watch?v=M23P7tj_bXA
And for the sake of completeness the reason why this is a fix is that MS is migrating to the b2clogin domain - Azure Active Directory B2C is deprecating login.microsoftonline.com
I am having an issue, I'm not sure why I'm getting this, Basically, I'm trying to get Azure AD B2C working, this works on my local machine and if I try it on Azure free web hosting it works, however on the on the web host I'm using it doesn't I don't know if this is because of how web hosts work, or whether its something else?
The Domain used has been partially removed for security, but the core errors are still there:
Also I'm using .Net Core as the backend, And when I type the url into my browser it works, just no on the hosting provider.
//Startup.cs
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
//apsettings.json
"AzureAdB2C": {
"Instance": "https://.b2clogin.com/tfp/",
"ClientId": "clientid",
"CallbackPath": "/signin-oidc",
"Domain": ".onmicrosoft.com",
"ClientSecret": "",
"SignUpSignInPolicyId": "B2C_1_SiUpIn",
"ResetPasswordPolicyId": "B2C_1_PwdReset",
"EditProfilePolicyId": "B2C_1_ProfileEdit",
}
You need to add "Authority" to the appsettings.json. So now it would look like
"AzureAdB2C": {
"Authority": "https://login.microsoftonline.com/tfp/{tenantName}.onmicrosoft.com/B2C_1_{signup_policy}/v2.0/",
"Instance": "https://abc.b2clogin.com/",
"ClientId": "asdas",
"Domain": "abc.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1_susi",
"SignUpSignInPolicyId": "b2c_1_susi",
"ResetPasswordPolicyId": "b2c_1_reset",
"CallbackPath": "/b2csignin",
"EditProfilePolicyId": "b2c_1_edit_profile"
},
this should fix your issue
Ive set up my AzureAD in the portal, and an appservice that uses the AD to authenticate following instructions from microsoft.
Ive made a .net core app that uses this authorisation. It works on my localhost. But when i publish it i get this error
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '614f66a9-xxxx-483a-8bc7-xxxxxxx'
What should i change and how come it works in my local but not when published?
This is current configuration of app:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "lmyName.onmicrosoft.com",
"TenantId": "******-ebd5-40d8-829b-*********",
"ClientId": "*****-8eef-483a-8bc7-********",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Warning"
}
}
}
When i followed the online intructions i was directed to configure the appservice in the portal to use reply URL: /.auth/login/aad/callback
Could that be the same as callbackPath?
For your case, you can change your reply URL in AAD Application to be <YourApplicaitonURL>/signin-oidc.
NOTE The base address in the Sign-on URL and Logout URL settings is http://localhost:port.
This localhost address allows the sample app to run insecurely from your local system. Port is the default port for the Kestrel server. Update the reply URL in your AAD Application if you configure the app for production use(If you publish your App to Azure Web App service).
For example, https://yourapp.azurewebsites.net/signin-oidc or https://www.contoso.com/signout-oidc
You can also refer to this Sample to Integrate Azure AD into an ASP.NET Core web app.
Please let me know if it helps!