I am trying to call the rest service for getting idToken from Azure B2C application using following URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?p={POLICY}
I am passing all the required parameters in the payload :
grant_type=authorization_code&client_id={ClientID}&scope=https://{tenant}.onmicrosoft.com/api/read openid offline_access&code={AUTH_CODE}&redirect_uri={REDIRECT_URI}&client_secret={CLIENT_KEY}
The same approach is working on one environment but returns
404 : The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
when accessing from another environment.
What am I missing here? Any Azure configuration that I need to check?
Your request looks good. So the key point of this issue should not be in B2C side.
This error generally means that the file you are looking is not present on the server or web.config file is not configured properly.
As the approach is working on one environment but failing for another, you should check the web.config file which is in the failing environment to see if it is configured correctly.
See a similar question here.
Related
The app
I have a web application on Microsoft Azure. The client is written in Vue.js and hosted via a Windows App Service. The server is built using Azure Functions, and hosted via a Linux Azure Functions App.
Both the client App Service and the server Function App use built-in authentication ("Easy Auth"), with Active Directory configured as the identity provider. I am able to log into each, separately, via AD.
Until recently, I was also able to make authenticated requests from the client to the server. The client has
"loginParameters": [
"response_type=code id_token",
"scope=openid offline_access api://<Application (client) ID>/user_impersonation"
]
in its authsettingsV2 and generated tokens' aud have the correct application ID. Passing the access_token from the client's /.auth/me response as a bearer token in requests to the server used to work.
The problem
I made a few configuration changes today, tested authentication, found that it was no longer working, and backed them out. Unfortunately, reverting those changes didn't fix the issue and generated tokens are no longer being accepted by Easy Auth on the server:
{
"code": 401,
"message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]' or validationParameters.ValidIssuers: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'."
}
Okay, so the issuer is not in the list of valid issuers. But Azure hides personally identifiable information in exceptions by default so I can't see the issuer or any of the valid issuers.
One option appears to be:
If you need to see the full information present in exceptions, please set IdentityModelEventSource.ShowPII to true
but this looks like a reference for configuring authentication myself using C#. I don't see any way to change this setting when using Easy Auth.
Maybe I can access raw logs. Let's see, I should be able to see this information by enabling application logging:
If you enable application logging, you will see authentication and authorization traces directly in your log files
To enable application logging for Linux apps or custom containers in the Azure portal, navigate to your app and select App Service logs.
But that option is not available:
A lot of the Function App documentation links to App Service documentation, so it would seem that Function Apps are a special kind of App Service App, but maybe not. The preceding quote is from App Service documentation, but I got there following links from Azure Function App documentation.
Alright, let's see if there's a way to enable application logging for Function Apps. Azure Monitor Logs look promising, but none of the generated logs appear to be about Easy Auth. I just see messages about the service starting. Maybe that's because, on Linux apps, Easy Auth runs in an isolated environment and therefore wouldn't be included in diagnostic logs:
The authentication and authorization module runs in a separate container, isolated from your application code.
So… how can I get more details about this error? Easy Auth is recommended as an option for authentication with Function Apps, and I'd hope that there's a way to get more information about what's happening.
I have seen Azure App Service Authentication / Authorization returns HTTP 401 IDX10205: Issuer validation failed and have already set accessTokenAcceptedVersion to null in the manifest. That Q&A helped me get the token passing working in the first place, and I have not changed that value.
I've created an application that uses Azure AD for (not Azure AD B2C). I've been referencing https://raw.githubusercontent.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/master/ReadmeFiles/aspnetcore-webapp-tutorial-alt.svg?sanitize=true along the way.
Since i've deployed the application to our test environements, I randomly get 'HTTP Error 400. The size of the request headers is too long'.
I've come across Azure Portal: Bad Request - Request Too Long but this solution is for Azure B2C.
Does anyone know a solution to this?
Let me know if you need code examples. but i've pretty much followed the git repositories referenced above.
Seems to be related to TempData. Try to replace from cookie based to session based:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-2.2#configure-the-tempdata-provider
I have a bot hosted in Azure which uses AADv2 authentication. The authentication was working perfectly until today, when it is throwing an error ("The resource you are looking for has been removed, had its name changed, or is temporarily unavailable") although I didn't change anything in the bot code or configuration.
I believe it is related with Azure rather than the bot's code since I test the connection from Azure Oauth Settings and it gives me the same error page:
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable".
This is where I test my connection:
I followed the instructions given by Microsoft to implement AADv2 in a bot:
Registered an app in apps.dev.microsoft as a Web Platform with redirect URL: https://token.botframework.com/.auth/web/redirect
Added OAuth Connection Setting to my bot
I believe it is not relevant, but just in case: the bot is developed with NodeJS using the BotFrameworkv4.
Everything seems to work fine now.
We didn't change anything in the code before or after the error and the authentication is back to normal again. I suppose it was an AAD internal error.
Microsoft answered the issue opened by #thomasmartinsen above, apparently there was a faulty service instance causing this problem, it is now repaired.
I am trying to authenticate my Azure Web App. Follow this doc
In my Azure Portal, I've selected "Authenticate / Authorization" for my Web App.
After I configure my Microsoft Account Authentication Settings with Client ID/Key from the App Registration page, I save the settings page and I'll see an error:
The errors says:
Failed to save Auth Settings for WebApp App:
{"Code":"Conflict","Message":"Cannot update the site 'WebApp' because
Authentication / Authorization was configured with an invalid issuer
URL ''. The URL must be well-formed, absolute, and use the HTTPS
scheme.","Target":null,"Details":[{"Message":"Cannot update the site
'WebApp' because Authentication / Authorization was configured with an
invalid issuer URL ''. The URL must be well-formed, absolute, and use
the HTTPS
scheme."},{"Code":"Conflict"},{"ErrorEntity":{"ExtendedCode":"04530","MessageTemplate":"Cannot
update the site '{0}' because Authentication / Authorization was
configured with an invalid issuer URL '{1}'. The URL must be
well-formed, absolute, and use the HTTPS
scheme.","Parameters":["WebApp",""],"Code":"Conflict","Message":"Cannot
update the site 'WebApp' because Authentication / Authorization was
configured with an invalid issuer URL ''. The URL must be well-formed,
absolute, and use the HTTPS scheme."}}],"Innererror":null}
I'm not sure what's the "invalid issuer URL" the issue is referring to.
This issue is not a general issue. This article is absolutely correct.
So I suggest you try to use another location to deploy your Web App and configure the Applicaiton again.
Also, this issue should be temporary, I have reported this.
Hope this helps!
I'm on the App Service team. This is a known issue which we are working to address - the behavior should be temporary. Our apologies for any issues this has caused.
I do not recommend the solution of moving to another region, as this is not guaranteed to work, and sites that do see resolution in this way may break again.
Please find our recommended workaround instructions in my response to this forum post.
For me it worked to add AAD as an auth provider with the default setting even though I'm not using it. I was then able to save my Facebook auth settings. This is a temporary workaround.
This answer from this discussion. Edit field "issuer" not working for me.
Without changing anything in my web.config nor anything else that in my knowlage should have any impact on my application's authentication through AAD, I receive this Error:
AADSTS20031: The supplied wctx is not valid. This can be caused by
caching redirect responses or using an incorrect URL to access the
service.
I did published an update, but as far as I know it does not have anything to do with it.
If I open a new tab and log-in to my application I am authenticated. the problem seems to be with the redirection to my application.
I will appreciate any lead on how to overcome this obstacle.