TransWikia.com

ASP.NET Core MVC Azure AD Authentication Loop on Azure App Service

Stack Overflow Asked by Ricardo Márquez on November 27, 2020

I have an ASP.NET Core MVC application and I integrated Azure AD into it using the following code:

services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
        .AddAzureAD(options => Configuration.Bind("AzureAd", options));

services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
                options.Authority = options.Authority + "/v2.0/";
                options.TokenValidationParameters.ValidateIssuer = true;
            });

The Azure AD Configuration contains these properties:

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
    "TenantId": "<tenant-id>",
    "ClientId": "<client-id>",
    "CallbackPath": "/signin-oidc"
},
"DownstreamApi": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "user.read User.ReadBasic.All"
}

It all worked locally and when deployed to an Azure App Service we did not have any problems.

I needed to integrate Microsoft Graph for a new module in the Web App (I need to look up the users in specific groups of the Azure AD).

I followed the Microsoft Graph Tutorial to implement Microsoft Graph.

services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
            // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
            options.HandleSameSiteCookieCompatibility();
        });

// Sign-in users with the Microsoft identity platform
string[] initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
        .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
        .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
        .AddInMemoryTokenCaches();

It all works locally but as soon as the app is deployed into an Azure App Service then app goes into a redirect loop when the user is authenticated.

I reversed the changes to the original code and it gets fixed but then I can’t use Microsoft Graph because I do not have the access token.

I checked all the redirect urls in the App Registration and they seem to be fine. I even included

https://<app-name>.azurewebsites.net/

in addition to

https://<app-name>.azurewebsites.net/sigin-oidc

just to be sure it wasn’t a redirect url issue.

I thought it was the Katana bug but that seems to have been fixed in .NET Core.

I enabled HTTPS Only on the Azure App Service but the issue still persists.

Has anyone experienced something like this issue? I’ve been at it for a couple of days and I can’t solve it.

Any helped is greatly appreciated.

One Answer

I tried publishing the microsoft tutorial linked in the question to a new Azure App Service with a new App Registration in Azure AD.

It signed in without a problem.

After that I suspected that there might be a problem with the App Registration. I came to that conclusion because the Azure AD Registration that the MVC Web App was using was created directly in Visual Studio and not manually in the Azure Portal.

Finally, all I did was create a new App Registration in Azure AD and published the MVC Web App with the new client secret and client id. Everything seem to work fine on the published Azure App Service.

Answered by Ricardo Márquez on November 27, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP