Ive set up my AzureAD in the portal, and an appservice that uses the AD to authenticate following instructions from microsoft.
Ive made a .net core app that uses this authorisation. It works on my localhost. But when i publish it i get this error
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '614f66a9-xxxx-483a-8bc7-xxxxxxx'
What should i change and how come it works in my local but not when published?
This is current configuration of app:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "lmyName.onmicrosoft.com",
"TenantId": "******-ebd5-40d8-829b-*********",
"ClientId": "*****-8eef-483a-8bc7-********",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Warning"
}
}
}
When i followed the online intructions i was directed to configure the appservice in the portal to use reply URL: /.auth/login/aad/callback
Could that be the same as callbackPath?
For your case, you can change your reply URL in AAD Application to be <YourApplicaitonURL>/signin-oidc.
NOTE The base address in the Sign-on URL and Logout URL settings is http://localhost:port.
This localhost address allows the sample app to run insecurely from your local system. Port is the default port for the Kestrel server. Update the reply URL in your AAD Application if you configure the app for production use(If you publish your App to Azure Web App service).
For example, https://yourapp.azurewebsites.net/signin-oidc or https://www.contoso.com/signout-oidc
You can also refer to this Sample to Integrate Azure AD into an ASP.NET Core web app.
Please let me know if it helps!
Related
I have created a Blazor application that calls a Web API(.Net) and uses Azure AD B2C for authentication. This works fine on my local machine. I can authenticate via the login screen and call the relevant endpoint. Once I deploy the application to Azure I get this error on the browser:
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user
Failed to load resource: the server responded with a status of 401 (Unauthorized)
On the Blazor(UI) side I have this set up:
"AzureAd": {
"Authority": "https://CarehomeRoomBookingTest.b2clogin.com/CarehomeRoomBookingTest.onmicrosoft.com/B2C_1_SignUpIn",
"ClientId": "77##############################",
"ClientSecret": "99#########################",
"ValidateAuthority": false
}
On the Web API side I have this set up:
"AzureAdB2C": {
"Instance": "https://CarehomeRoomBookingTest.b2clogin.com",
"ClientId": "16#############################",
"Domain": "CarehomeRoomBookingTest.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1_susi_reset_v2",
"SignUpSignInPolicyId": "B2C_1_SignUpIn",
"TenantId": "38#############################"
}
Why would this be happening when the application is deployed and hosted on Azure?
Please check if any of below is your case:
1.See if scope for your API that Your front-end app needs to use is correct. This way it will get an access token which is meant for your API. Register a
scope for your API app registration through the Expose an API
section and use the scope in your front-end app.
and grant admin consent :
Your scopes will be present this way
Please make sure to include the scopes exposed in the portal for your backend api in the auth in your code
Also please check if you have given proper permissons or if use of
delegated permissions is the issue .See
getting-401-unauthorized-error-StackOverflow
I trying to authenticate with Microsoft Graph 2 using ASP.Net Core (MVC).
The AzureAd settings:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "common",
"CallbackPath": "/signin-oidc" }
The site url is like
https://mysite
Then I was redirected to the login url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?...
but the redirect_uri, in the url parameters, does not include the https
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=****&redirect_uri=http%3A%2F%2Fmysite%2Fsignin-oidc
I was trying to force the using of HTTPS but I can´t find it
Upate:
The application is deployed in Linux.
Any suggestion?
Adding in dockerfile:
ENV ASPNETCORE_FORWARDEDHEADERS_ENABLED=true
it works for me like comment Anand´s link
I'm trying to adapt the configuration of the ITfoxtec sample application TestWebAppCore from
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
to use a SAML-configured Enterprise Application on Azure AD.
In appsettings.json I configured "IdPMetadata" with the metadata URL for the Enterrise Application in Azure AD, of this kind: "https://login.microsoftonline.com/9...3/federationmetadata/2007-06/federationmetadata.xml?appid=c..."
and I have not changed the other lines:
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"SigningCertificateFile": "itfoxtec.identity.saml2.testwebappcore_Certificate.pfx",
"SigningCertificatePassword": "!QAZ2wsx",
//"SignatureValidationCertificateFile": "xxx.cer",
"CertificateValidationMode": "None", // "ChainTrust"
"RevocationMode": "NoCheck"
What are the "right" configuration that must be applied in the sample web app and on the Azure AD SAML configuration panel "Azure AD-side" ? In Azure AD SAML specially for the configuration items:
Reply URL (Assertion Consumer Service URL), I tried "https://localhost:44306/"
and
Sign on URL: I tried "https://localhost:44306/Auth/AssertionConsumerService"
but also after a "Login" (with my Azure credentials) the "users Claims" are not visible in the Home Page of the web application.
Thanks all.
Now I have fixed my implementation of the "TestWebAppCore" sample in ITfoxtec.Identity.Saml2.
These are the settings in the Azure AD administration console:
Identifier (Entity ID): itfoxtec-testwebappcore
Reply URL (Assertion Consumer Service URL):
https://localhost:44306/Auth/AssertionConsumerService
Sign on URL, Relay State and Logout Url not configured.
And these are the configurations in appsettings.json:
"Saml2": {
"IdPMetadata": "https://login.microsoftonline.com/9...3/federationmetadata/2007-06/federationmetadata.xml?appid=c...8",
"Issuer": "itfoxtec-testwebappcore",
"SingleSignOnDestination": "https://login.microsoftonline.com/9...3/saml2",
"SingleLogoutDestination": "https://login.microsoftonline.com/9...3/saml2",
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"SigningCertificateFile": "itfoxtec.identity.saml2.testwebappcore_Certificate.pfx",
"SigningCertificatePassword": "!QAZ2wsx",
"CertificateValidationMode": "None", // "ChainTrust"
"RevocationMode": "NoCheck"
}
I compiled with .NET 5.0.
Note that in AuthController.cs I have commented the line
NameIdPolicy = new NameIdPolicy { AllowCreate = true, Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" },
otherwise the user name presented in the "Secure" page is an ID (in "persistent" format) and not the username with email. As an alternative it is possible to change the line with this one:
NameIdPolicy = new NameIdPolicy { AllowCreate = true, Format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" },
Another good example that use the same ITfoxtex SAML identity library is this one:
https://github.com/nickgamb/Okta_SAML_Example (see also the article https://developer.okta.com/blog/2020/10/23/how-to-authenticate-with-saml-in-aspnet-core-and-csharp).
I have .net core mvc application. I have implemented OAuth authentication with Azure AD for my web app.
From localhost it is working good as expected, but from Azure WebApp its failing to redirect to path after successful OAuth authentication.
FYI, I am accessing the application via AppGateway
I am using following code block for making OAuth Authentication.
Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
appsettings.json:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
"ClientId": "567f20e2-eb4f-4a1b-8fe6-ff1d76be8ec0",
"TenantId": "ea80952e-xxxx-xxxx-xxxx-5457852b0f7e",
},
I tried to define the redirect url in Azure App registration blade, but the defined values is not picking from the app.
Azure App registration redirect url
Can someone help me to resolve this issue.
Attached screenshot for your reference.
Screenshot of error response after successful authentication
To deal with this kind of problem, you can try a general solution:
When you visit the application url , you will be redirected to the login page. Decode the authorization request url, you will find redirect_url, copy the value of redirect_url and paste it into the azure portal, and try again.
I am following azure AD B2C auth example which runs fine on local changing appsettings.json to my webapp tenant/app. When I publish to azure the home webpage opens but at pressing Login I don't get to the authorisation window, Fiddler shows:
redirect_uri_mismatch
AADB2C90006: The redirect URI
'https://webappname.azurewebsites.net/signin/B2C_1_mysigninoutpolicy' provided in the request is not registered for the client id 'xxxxxxxx'.
The user flow policies are registered:
I think this setup is b2login.com compliant.
a) I create tenant and register the app in portal. At the tenant:
Azure AD B2C resource name (tenant): tenantName.onmicrosoft.com
I set App Registration->Reply URL https://webappname.azurewebsites.net/signin-oidc
Also on App Registration->Add ID URI (optional): I left it blank
Native client: No
b) At my subscription level (not tenant) Azure portal, the published app settings:
app URL: https://webappname.azurewebsites.net
Configuration->Application settings: shows WEBSITE_NODE_DEFAULT_VERSION and I've added ASPNETCORE_ENVIRONMENT with value "Production".
At the project's appsettings.json, settings are:
"Instance": "https://tenantName.b2clogin.com",
"ClientId": "XXXXXX",
"ClientSecret": "XXXXX",
"Domain": "tenantName.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1_mysigninoutpolicy",
"SignUpSignInPolicyId": "B2C_1_mysigninoutpolicy",
"ResetPasswordPolicyId": "B2C_1_myresetpolicy",
"EditProfilePolicyId": "B2C_1_myeditprofilepolicy", // Optional profile editing policy
"CallbackPath": "/signin/B2C_1_mysigninoutpolicy"
The example does't use "Tenant" so I left it out?
I tried uncommenting the example's Callbackpath but same error:
//"CallbackPath": "/signin/B2C_1_sign_up_in" // defaults to /signin-oidc
I restarted the web app and waited a couple of minutes each time I've tested. I browse to test at https://webappname.azurewebsites.net
Thank you for your help
The redirect URI in the application registration must match the callback path in the application configuration.
In the above question, the redirect URI is set to /signin-oidc but the callback path is set to /signin/B2C_1_mysigninoutpolicy, which results in the redirect_uri_mismatch error response.