I am following azure AD B2C auth example which runs fine on local changing appsettings.json to my webapp tenant/app. When I publish to azure the home webpage opens but at pressing Login I don't get to the authorisation window, Fiddler shows:
redirect_uri_mismatch
AADB2C90006: The redirect URI
'https://webappname.azurewebsites.net/signin/B2C_1_mysigninoutpolicy' provided in the request is not registered for the client id 'xxxxxxxx'.
The user flow policies are registered:
I think this setup is b2login.com compliant.
a) I create tenant and register the app in portal. At the tenant:
Azure AD B2C resource name (tenant): tenantName.onmicrosoft.com
I set App Registration->Reply URL https://webappname.azurewebsites.net/signin-oidc
Also on App Registration->Add ID URI (optional): I left it blank
Native client: No
b) At my subscription level (not tenant) Azure portal, the published app settings:
app URL: https://webappname.azurewebsites.net
Configuration->Application settings: shows WEBSITE_NODE_DEFAULT_VERSION and I've added ASPNETCORE_ENVIRONMENT with value "Production".
At the project's appsettings.json, settings are:
"Instance": "https://tenantName.b2clogin.com",
"ClientId": "XXXXXX",
"ClientSecret": "XXXXX",
"Domain": "tenantName.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1_mysigninoutpolicy",
"SignUpSignInPolicyId": "B2C_1_mysigninoutpolicy",
"ResetPasswordPolicyId": "B2C_1_myresetpolicy",
"EditProfilePolicyId": "B2C_1_myeditprofilepolicy", // Optional profile editing policy
"CallbackPath": "/signin/B2C_1_mysigninoutpolicy"
The example does't use "Tenant" so I left it out?
I tried uncommenting the example's Callbackpath but same error:
//"CallbackPath": "/signin/B2C_1_sign_up_in" // defaults to /signin-oidc
I restarted the web app and waited a couple of minutes each time I've tested. I browse to test at https://webappname.azurewebsites.net
Thank you for your help
The redirect URI in the application registration must match the callback path in the application configuration.
In the above question, the redirect URI is set to /signin-oidc but the callback path is set to /signin/B2C_1_mysigninoutpolicy, which results in the redirect_uri_mismatch error response.
Related
I am trying to run the WebApp B2C sample:
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C
When I try to login, I get the following error:
IDX40002: Microsoft.IdentityModel does not support a B2C issuer with 'tfp' in the URI. See https://aka.ms/ms-id-web/b2c-issuer for details.
If I edit the Instance to https://myHost.b2clogin.com I get:
AADSTS50011: The redirect URI 'https://myHost.b2clogin.com/1c2009bb-7e35-4a0e-9f22-xxxxxxxxx/oauth2/authresp' specified in the request does not match the redirect URIs configured for the application 'c24b0337-0bd9-45ee-8376-xxxxxxxxx'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
Edit:
These are my redirects:
I tried to reproduce the same in my environment and got the below results:
I deployed custom policy starter pack via IEF Setup App by entering my Azure B2C tenant name like below:
When I checked that in Portal, custom policies are created successfully like below:
Now I registered one Azure AD B2C app named webapp1 as below:
I added redirect Uri to the above application like below: https://localhost:44316/signin-oidc
Now, I followed the same link that you mentioned and deployed one sample B2C web application by modifying appsettings.json file like below:
"AzureAdB2C": {
"Instance": "https://sridevib2c.b2clogin.com",
"ClientId": "9986e76d-bxx7-4x6x-bxx7-3d8xxxxx9a45",
"Domain": "sridevib2c.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1A_SIGNUP_SIGNIN",
"SignUpSignInPolicyId": "B2C_1A_SIGNUP_SIGNIN",
"ResetPasswordPolicyId": "B2C_1A_PASSWORDRESET",
"EditProfilePolicyId": "B2C_1A_PROFILEEDIT" // Optional profile editing policy
//"CallbackPath": "/signin/B2C_1A_SIGNUP_SIGNIN" // defaults to /signin-oidc
},
JSON file:
When I ran the above web application, it took me to below web page:
After selecting Sign Up/In, I got the login screen like below:
When I entered my credentials, I logged in to the application successfully like below:
When I clicked on Sign Out, it showed me below screen by signing me out:
After a long research I found this article/sample, where the Microsoft.Identity.UI framework is replaced with the Microsoft.AspNetCore.Authentication.AzureADB2C.UI.
However, with the https://myDomain.b2clogin.com url I still get the same error, using the custom domain it works, that's enough for me.
I have created a Blazor application that calls a Web API(.Net) and uses Azure AD B2C for authentication. This works fine on my local machine. I can authenticate via the login screen and call the relevant endpoint. Once I deploy the application to Azure I get this error on the browser:
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user
Failed to load resource: the server responded with a status of 401 (Unauthorized)
On the Blazor(UI) side I have this set up:
"AzureAd": {
"Authority": "https://CarehomeRoomBookingTest.b2clogin.com/CarehomeRoomBookingTest.onmicrosoft.com/B2C_1_SignUpIn",
"ClientId": "77##############################",
"ClientSecret": "99#########################",
"ValidateAuthority": false
}
On the Web API side I have this set up:
"AzureAdB2C": {
"Instance": "https://CarehomeRoomBookingTest.b2clogin.com",
"ClientId": "16#############################",
"Domain": "CarehomeRoomBookingTest.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1_susi_reset_v2",
"SignUpSignInPolicyId": "B2C_1_SignUpIn",
"TenantId": "38#############################"
}
Why would this be happening when the application is deployed and hosted on Azure?
Please check if any of below is your case:
1.See if scope for your API that Your front-end app needs to use is correct. This way it will get an access token which is meant for your API. Register a
scope for your API app registration through the Expose an API
section and use the scope in your front-end app.
and grant admin consent :
Your scopes will be present this way
Please make sure to include the scopes exposed in the portal for your backend api in the auth in your code
Also please check if you have given proper permissons or if use of
delegated permissions is the issue .See
getting-401-unauthorized-error-StackOverflow
I'm creating an angular application that should authenticate with MS Azure AD single Tenant App which should be used only in one organization. Below are the configs which I have tried
auth: {
clientId: 'MY_CLIENT_ID',
// authority: 'https://login.microsoftonline.com/MY_TENANT_ID',
//authority: 'https://login.microsoftonline.com/MY_ORGANIZATION_DOMAIN',
authority: 'https://login.microsoftonline.com/organizations',
redirectUri: 'http://localhost:6735'
},
All thes above ways of authority I have tried. It goes to the login page of Microsoft but after giving correct credentials it redirects with some code in the URL and login doesn't happen.
http://localhost:6735/#code=0.ASgAmOTRM_cEXkaKjvmSz2YuZyqUYHleyNlFoNYtQ5kOUEUAAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrHDMc_BSj9GrzkrZl2zT2QVp1Hml8h7qs1PSWM_umvMyKRk5U0C7IbDSpdEpL9SGjWzBFHBXBXh10eLEioVh1N8-hXeNyfLJFSqXShYPooCX8UnlUnIQqgFhULy_o1f7ybLLbMELBomOnJZQKZuJoxj6UJgtERnAE1TZ5-nx4YkPHSrlOD5aYSF6Pziu2Xfh8UOMArIUMAoXe_RUoqULKSIHFsxXypPpCNDo1ddWsxId96BbDdPhHix2IWCuz3SNtKC6i_22qiQSxHJnT3NlcoxyMS0-9f9tSMSEOmrzCU0y5mbuw7-OGYPO8Na3juGParCuPQhE7ZJyXcwFkKodEdGs-C1U-f5Bc_imtik4B8x6sRB2pa-DOAueRQHsLdUUBQn6w5xRmZ97KKXxuL0A59EHbNhNu59EFoVJB6zTTT3hBHLFg7qL9g2nkfZLAlfpp9IfqnsoZVl9xT0CIbl7NvsRFnjpsyp6Sw4oFvyEHiXuRvKLkl3Jz8O56PJody2hHEeqXuQvnWbZ9nk00MPOvArQ7bKyoCusCPQQp64uoPSLW9G389a3ihHLiiNlzJik2dHWjez2wBpSPwZCOingPRi3Mtkh5pIbxfijejQmWZlXB_wf_GaNPYPGNRXYygeo-2OZ9koWDKhQ5S6GP5ktjGPfDtlh6EJNCHAIuuHbK2IN2vjbxdO4_YVLX1NKq0Hh51B4-zNdsiFlZuVsy5RyA3ZQZGsnR1NIKV_wm5jMmdDsgAA&client_info=eyJ1aWQiOiJlYzczZDQ5OS1iYzFiLTRhZWUtYjMyZi0xYjlmOTMyODRiNjAiLCJ1dGlkIjoiMzNkMWU0OTgtMDRmNy00NjVlLThhOGUtZjk5MmNmNjYyZTY3In0&state=eyJpZCI6IjY3YWVjYjVkLWE5YjUtNDBhMy1iZDE5LWRmYmNmNjcxNTkwZiIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoicmVkaXJlY3QifX0=&session_state=9e6ae9e7-45ae-4fee-b4b2-921f628093ec
Please check if any of the below is your workaround
If your application audience is a single tenant, you must provide an authority with your tenant id as you tried first:
auth: {
clientId: 'your_client_id',
authority: 'https://login.microsoftonline.com/{your_tenant_id}'
}
};
By default, MSAL is configured to set the redirect URI to the current page that it is running on. If you would like to receive the authorization code on a different page than the one running MSAL, you can set this in the configuration. Any redirect URI used must be configured in the portal registration
If it is SPA, please check if you have selected platfom as SPA in app registration in portal and check the URIs type in the manifest file to be Spa . Make sure you do not have multiple platforms configured in azure (for eg both SPA & Web App for same localhost uri).
Try to give the redirect uri like this with ‘/’ at the end :http://localhost:4200/ or http://localhost:6735/ or redirecturi:'/' and make sure you configured the same uri in the application code and try again .
Make sure your client id and tenant id are given correctly. Local host is probably used while in development.If it still doesn’t work configure with https scheme in redirect uri in both app and in portal.
Reference:
AzureAD/microsoft-authentication-library-for-js (github.com)
Quickstart: | Microsoft Docs
I'm trying to adapt the configuration of the ITfoxtec sample application TestWebAppCore from
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
to use a SAML-configured Enterprise Application on Azure AD.
In appsettings.json I configured "IdPMetadata" with the metadata URL for the Enterrise Application in Azure AD, of this kind: "https://login.microsoftonline.com/9...3/federationmetadata/2007-06/federationmetadata.xml?appid=c..."
and I have not changed the other lines:
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"SigningCertificateFile": "itfoxtec.identity.saml2.testwebappcore_Certificate.pfx",
"SigningCertificatePassword": "!QAZ2wsx",
//"SignatureValidationCertificateFile": "xxx.cer",
"CertificateValidationMode": "None", // "ChainTrust"
"RevocationMode": "NoCheck"
What are the "right" configuration that must be applied in the sample web app and on the Azure AD SAML configuration panel "Azure AD-side" ? In Azure AD SAML specially for the configuration items:
Reply URL (Assertion Consumer Service URL), I tried "https://localhost:44306/"
and
Sign on URL: I tried "https://localhost:44306/Auth/AssertionConsumerService"
but also after a "Login" (with my Azure credentials) the "users Claims" are not visible in the Home Page of the web application.
Thanks all.
Now I have fixed my implementation of the "TestWebAppCore" sample in ITfoxtec.Identity.Saml2.
These are the settings in the Azure AD administration console:
Identifier (Entity ID): itfoxtec-testwebappcore
Reply URL (Assertion Consumer Service URL):
https://localhost:44306/Auth/AssertionConsumerService
Sign on URL, Relay State and Logout Url not configured.
And these are the configurations in appsettings.json:
"Saml2": {
"IdPMetadata": "https://login.microsoftonline.com/9...3/federationmetadata/2007-06/federationmetadata.xml?appid=c...8",
"Issuer": "itfoxtec-testwebappcore",
"SingleSignOnDestination": "https://login.microsoftonline.com/9...3/saml2",
"SingleLogoutDestination": "https://login.microsoftonline.com/9...3/saml2",
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"SigningCertificateFile": "itfoxtec.identity.saml2.testwebappcore_Certificate.pfx",
"SigningCertificatePassword": "!QAZ2wsx",
"CertificateValidationMode": "None", // "ChainTrust"
"RevocationMode": "NoCheck"
}
I compiled with .NET 5.0.
Note that in AuthController.cs I have commented the line
NameIdPolicy = new NameIdPolicy { AllowCreate = true, Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" },
otherwise the user name presented in the "Secure" page is an ID (in "persistent" format) and not the username with email. As an alternative it is possible to change the line with this one:
NameIdPolicy = new NameIdPolicy { AllowCreate = true, Format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" },
Another good example that use the same ITfoxtex SAML identity library is this one:
https://github.com/nickgamb/Okta_SAML_Example (see also the article https://developer.okta.com/blog/2020/10/23/how-to-authenticate-with-saml-in-aspnet-core-and-csharp).
My goal is to secure my mobile app custom API methods and use then via httpclient(c#).
As a part of the testing I used Postman to request a token and use it to access the resource.
I will explain with the vanilla template that comes when creating a new Mobile App.
Create a new mobile app.
Publish it to Azure.
Open it on Azure portal, Go to Settings blade. Find Authentication / Authorization.
Turn App Service Authentication to On and select Azure Active Directory>Express>Create a new AD app.
Open Active Directory (Management Portal), pick the directory for your account.
Select Applications, the one you just created.
Go to Configure tab and copy the ClientId, Create a Key, copy it too.
Click on View EndPoints at the bottom and copy the OAuth 2.0 Token EndpointOauth2.0 Token
Now open the mobile app project and decorate the controller/method you want to project with [Authorize].
You should be all set with the setup.
Now open your favorite client, in my case Postman and
Step 1: Request a token
Method: POST
URL : {Oauth TokenEndPoint from Step. 8}
grant_type : client_credentials
client_id : {one copied from AD section in Step. 7}
client_secret : {one copied from AD section in Step. 7}
resource : {one copied from AD section in Step. 7}
You will receive a response like this
"token_type": "Bearer",
"expires_in": "3600",
"expires_on": "1453151213",
"not_before": "1453147313",
"resource": "yyyyyyyyyyyyyyyyyy",
"access_token": "xxxxxxxxxxxxxxxxxxx"
Now copy the access_token and use it in your request to the mobile app.
Method: Get
URL : https://MyMobileApp.azurewebsites.net/api/values?ZUMO-API-VERSION=2.0.0
Headers : Authorization : Bearer xxxxxxxxxxxxxxxxxxx
In case if you run into any issues, here is a key step. Go to Azure portal and turn on Application Logging, Detailed error messages, Failed request tracking under Diagnostics logs (Settings blade).
Now you can see whats happening and much more detailed logging under Log Stream(Tools blade).