Unable to authenticate Web Api(.Net Core) after changing the Authority URL from login.microsoftonline.com to xyz.b2clogin.com
Authority Old URL: https://login.microsoftonline.com/tfp/xyz.onmicrosoft.com/SignInPolicy/v2.0
Authority New URL: https://xyz.b2clogin.com/tfp/xyz.onmicrosoft.com/SignInPolicy/v2.0
Startup Code
.AddJwtBearer(AzureJwtSchemes.AZURE_ADB2C_AUTHENTICATION_SCHEME, options =>
{
options.Authority = azureB2COptions.Authority;
options.Audience = azureB2COptions.ClientId;
}
Any help will be really appreciated! Thanks!!!
The code in your Azure AD B2C-enabled applications and APIs may refer to login.microsoftonline.com in several places. For example, your code might have references to user flows and token endpoints. Make sure all of them have been updated to your-tenant-name.b2clogin.com.
Reference:
Set redirect URLs to b2clogin.com for Azure Active Directory B2C
Might be caused by another error.
To check what's really happening you can do the ff:
Create your custom method and setup the OnAuthenticationFailed under the options.Event.
Set the Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII to
true
Add a breakpoint to the AuthenticationFailedContext
Should give you an idea on what's wrong.
Related
I'm creating an angular application that should authenticate with MS Azure AD single Tenant App which should be used only in one organization. Below are the configs which I have tried
auth: {
clientId: 'MY_CLIENT_ID',
// authority: 'https://login.microsoftonline.com/MY_TENANT_ID',
//authority: 'https://login.microsoftonline.com/MY_ORGANIZATION_DOMAIN',
authority: 'https://login.microsoftonline.com/organizations',
redirectUri: 'http://localhost:6735'
},
All thes above ways of authority I have tried. It goes to the login page of Microsoft but after giving correct credentials it redirects with some code in the URL and login doesn't happen.
http://localhost:6735/#code=0.ASgAmOTRM_cEXkaKjvmSz2YuZyqUYHleyNlFoNYtQ5kOUEUAAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrHDMc_BSj9GrzkrZl2zT2QVp1Hml8h7qs1PSWM_umvMyKRk5U0C7IbDSpdEpL9SGjWzBFHBXBXh10eLEioVh1N8-hXeNyfLJFSqXShYPooCX8UnlUnIQqgFhULy_o1f7ybLLbMELBomOnJZQKZuJoxj6UJgtERnAE1TZ5-nx4YkPHSrlOD5aYSF6Pziu2Xfh8UOMArIUMAoXe_RUoqULKSIHFsxXypPpCNDo1ddWsxId96BbDdPhHix2IWCuz3SNtKC6i_22qiQSxHJnT3NlcoxyMS0-9f9tSMSEOmrzCU0y5mbuw7-OGYPO8Na3juGParCuPQhE7ZJyXcwFkKodEdGs-C1U-f5Bc_imtik4B8x6sRB2pa-DOAueRQHsLdUUBQn6w5xRmZ97KKXxuL0A59EHbNhNu59EFoVJB6zTTT3hBHLFg7qL9g2nkfZLAlfpp9IfqnsoZVl9xT0CIbl7NvsRFnjpsyp6Sw4oFvyEHiXuRvKLkl3Jz8O56PJody2hHEeqXuQvnWbZ9nk00MPOvArQ7bKyoCusCPQQp64uoPSLW9G389a3ihHLiiNlzJik2dHWjez2wBpSPwZCOingPRi3Mtkh5pIbxfijejQmWZlXB_wf_GaNPYPGNRXYygeo-2OZ9koWDKhQ5S6GP5ktjGPfDtlh6EJNCHAIuuHbK2IN2vjbxdO4_YVLX1NKq0Hh51B4-zNdsiFlZuVsy5RyA3ZQZGsnR1NIKV_wm5jMmdDsgAA&client_info=eyJ1aWQiOiJlYzczZDQ5OS1iYzFiLTRhZWUtYjMyZi0xYjlmOTMyODRiNjAiLCJ1dGlkIjoiMzNkMWU0OTgtMDRmNy00NjVlLThhOGUtZjk5MmNmNjYyZTY3In0&state=eyJpZCI6IjY3YWVjYjVkLWE5YjUtNDBhMy1iZDE5LWRmYmNmNjcxNTkwZiIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoicmVkaXJlY3QifX0=&session_state=9e6ae9e7-45ae-4fee-b4b2-921f628093ec
Please check if any of the below is your workaround
If your application audience is a single tenant, you must provide an authority with your tenant id as you tried first:
auth: {
clientId: 'your_client_id',
authority: 'https://login.microsoftonline.com/{your_tenant_id}'
}
};
By default, MSAL is configured to set the redirect URI to the current page that it is running on. If you would like to receive the authorization code on a different page than the one running MSAL, you can set this in the configuration. Any redirect URI used must be configured in the portal registration
If it is SPA, please check if you have selected platfom as SPA in app registration in portal and check the URIs type in the manifest file to be Spa . Make sure you do not have multiple platforms configured in azure (for eg both SPA & Web App for same localhost uri).
Try to give the redirect uri like this with ‘/’ at the end :http://localhost:4200/ or http://localhost:6735/ or redirecturi:'/' and make sure you configured the same uri in the application code and try again .
Make sure your client id and tenant id are given correctly. Local host is probably used while in development.If it still doesn’t work configure with https scheme in redirect uri in both app and in portal.
Reference:
AzureAD/microsoft-authentication-library-for-js (github.com)
Quickstart: | Microsoft Docs
So I recently used the quickstart method from Azure to make a JS app which authenticates using the MSAL.js library. I am able to authenticate using the normal users in AD, however when adding in google as an external identity provider, I get the Authorization error:
"Error 400: redirect_uri_mismatch
The redirect URI in the request, https://login.microsoftonline.com/te/{tenant-id}/oauth2/authresp, does not match the ones authorized for the OAuth client...."
I have checked the URI in my JS app, on Azure and added it in the Google develops console to no avail. I have followed the documentation as per: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-google
I have tried fiddling with everything and don't know what to do to fix it. Keep in mind that when I created the Azure account, it automatically made my tenant name "Default directory" and my Primary domain as "{FirstName}{EmailDomain}#onmicrosoft.com". I since then change my tenant name to "NewTenant" (I will be changing all names for the purpose of this question as I would like to not reveal any actual details where possible).
To conceal my details I'll be making "{FirstName}": "Bob", and "{EmailDomain}": "mydomain"
JS code:
const msalConfig = {
auth: {
clientId: '{ClientId}',
authority: 'https://login.microsoftonline.com/{TenantId}',
domain: 'bobmydomain.onmicrosoft.com',
instance: 'https://bobmydomain.b2clogin.com/tfp',
redirectUri: "http://localhost:3000/"
},
cache: {
cacheLocation: 'sessionStorage',
storeAuthStateInCookie: false
}
};
Azure:
Azure redirect URIs
Google developer console:
Google redirect URIs Bear in mind I fiddled with the HTML so that I could get a nice screenshot. I have also configured the ClientID and ClientSecret for Google auth in the Azure external identity provider portal.
EDIT: http://localhost:3000/ was also added as a redirect URI to the Google dev console but also to no avail
Any help would be appreciated.
We have the following Azure AD B2C Application (which we will call aadb2c) with the following settings
Include web app/ web API: YES
Allow Implicit Flow: YES
Reply Url:
- https://localhost:44339/
- https://productionURL.com
- https://productionURL.com/
App ID URI (which is optional): none
Native CLient: NO
This Application is what our website https://productionURL.com uses to login it's users with azure AD B2C.
However, on production we keep on getting the error:
The redirect URI 'productionURL.com' provided in the request is not registered for the client id 'aadb2c'
According to this we should add the link to out reply url.
But as you can see above, we already included https://productionURL.com in the "Reply URL" section
of the Azure AD B2C blade.
What could be causing this error to happen? How do we resolve the redirect URI request not registered error?
It needs to be configured in the code as well and you need to make sure that the protocols match. This can also happen if there's a mismatch with the tenant ID or the app ID.
Check the B2C callback request in Chrome DevTools > Network with "Preserve log" to see what URL is being returned. This should give you insight into the problem.
As an extra measure to ensure that the protocols are matching, you can add:
if (context.ProtocolMessage.RedirectUri.Contains("http:"))
{
context.ProtocolMessage.RedirectUri = context.ProtocolMessage.RedirectUri.Replace("http:", "https:");
}
After hours looking at our code and finding no traces of the url without any protocol or any trace of "http:", we now had to look at our deployment orchestrator.
Apparently in Octopus we are deploying the app with an incorrect URI: it's missing the protocol "https://"
AADSTS70005: response_type 'id_token' is not enabled for the
application
I am getting above error even after setting "oauth2AllowImplicitFlow": true, in manifest.
try this:
go to portal.azure.com
select your directory, and go to Azure AD
then select App registration (preview)
select the app you are trying to authenticate (you should already have registered it)
go to the authentication tab
check "ID tokens" in the Advanced Settings section (see the bottom of the attached image)
this have worked for me
I got the error:
AADSTS700054: response_type 'id_token' is not enabled for the application.
And the resolution was setting:
{
"oauth2AllowIdTokenImplicitFlow" : true
}
in Azure Active Directory App Manifest
Make sure you have selected ID tokens (used for implicit and hybrid flows)
You can do from Authentication blade in your app in Azure AD. See screenshot below
Or go to the Manifest blade and make oauth2AllowIdTokenImplicitFlow to true. See screenshot below
Error : OpenIdConnectMessage.Error was not null, indicating an error. Error: 'unsupported_response_type'.
This error occurred because Azure AD not return any Access tokens or ID tokens.
Azure AD need to enabled check box to return tokens, after authentication is done.
How to Solve : goto Azure AD => App registration => click tab Authentication =>
enabled Access tokens and ID tokens check-boxes.
Make sure you don't have two instances of the key oauth2AllowImplicitFlow in your manifest - in my case I had added the key but it was present already with the value set to false. Hopefully this solves the issue:)
I was facing similar issue and when visited the page of ActiveDirectory -> App registrations, it wasnt showing new UI.
Also it doesnt allow me to set the flag in the metadata, Found the workaround for this.
https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Authentication/quickStartType//sourceType/Microsoft_AAD_IAM/appId/9bab1d75-34b8-475b-abfe-5a62c6f01234/objectId/a4b459c1-7753-400c-8f8f-46fb5451234/isMSAApp//defaultBlade/Overview/servicePrincipalCreated/true
First login to your instance, modify the above URL to paste object id and application id of your application.
Then it should show the screen #Mosè Bottacini posted.
It is true like a lot of you are saying that you need to enable ID tokens (used for implicit and hybrid flows) if you really need the ID Token.
'AADSTS700054: response_type 'id_token' is not enabled for the
application.
However if you use a Authorization Code Flow you don't really need it. Microsoft OpenID Connect authentication (Microsoft.AspNetCore.Authentication.OpenIdConnect) uses id_token as default ResponseType for OpenIdConnect and JwtSecurityTokenHandler.
Using AddOpenIdConnect you can set ResponseType to OpenIdConnectResponseType.Code or simply "code" and then you don't need the id_token at all.
Working example with Azure Ad and IdentityServer:
services.AddAuthentication()
.AddOpenIdConnect("aad", "Azure AD", options =>
{
options.ClientSecret = "<ClientSecret>";
options.ResponseType = OpenIdConnectResponseType.Code;
options.ClientId ="<ClientId>";
options.Authority = "https://login.microsoftonline.com/<TenantId>/";
options.CallbackPath = "/signin-oidc";
})
.AddIdentityServerJwt();
http://docs.identityserver.io/en/latest/topics/signin_external_providers.html
I stumbled across this post since I was having the exact same issue with my Azure App Service. I fixed it by using the exact redirect URL in the error message and adding that to the list of URLs in the app registration.
I'm trying to get the OpenIDConnect Azure sample from here working within an iFrame in CRM. I've deployed to Azure where login works fine when hitting the site directly.
When I access the site via an iFrame in CRM Online it's displayed fine but when I attempt to login I'm getting the following error:
Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolInvalidNonceException: IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.
After some investigation I've updated the OWIN middleware configuration to set the RequireNonce false:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
ProtocolValidator = new Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidator()
{
RequireNonce = false
}
});
When I now try to login I now get the following exception for which I've hit a wall.
Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolException: invalid_request
Any help would be much appreciated. I understand the use of nonce but I'm yet to understand the full implications of disabling it within this use case so getting this working without the need to disable would be ideal.
The authentication experience cannot be iFramed, for security reasons. Also, turning off the Nonce verification is very dangerous - I would strongly advise against it. You can refer to the OAuth2 and OpenId Connect threat models for concrete details on the risks you'll incur in, however the frame busting logic should make the point moot.