TransWikia.com

Azure AD B2C .NET Core redirects directly without showing login screen

Stack Overflow Asked by Bjorn on July 24, 2020

I’m trying to create a simple .NET Core 3.1 MVC app that requires authentication through Azure Active Directory, with B2C.

I’ve read multiple documentations, but still coudn’t get it to work. I’m able to run the user flow succesfully (received info in https://jwt.ms/). However, if I’m running my application, this is what happens:

  • User clicks on link to login
  • Browser goes to: https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/authorize?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=https%3A%2F%2Flocalhost%3A5000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access%20&response_mode=form_post&nonce={long.string}&client_info=1&state={long.string2}&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0
  • Browser goes to https://jwt.ms/. The fields are empty

I took an example project (with https://fabrikamb2c.b2clogin.com) to see if the problem is inside my code, or it is in Azure settings. When I do that with the example settings, I correctly see a login screen. When I switch to my own settings, the above situation occurs. So I guess it has something to do with the settings in Azure. The correct flow (so with the example settings)

I do see some differences in this URL (around the scope for example), but can’t figure out what causes my issue. Currently tinking of permissions?

Azure settings

  • Azure Subscription 1 – out of scope
  • Azure Subscription 2
  • Azure B2C tenant, linked to azure subscription 2

Inside Azure subscription 2

  • Azure Active Directory with multiple users
  • App Service: LoginPortalAdB2C <– code deployment, currently not in use: trying to get it to work locally
  • App Registration: LoginPortal
    • Client ID: xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxxx
    • ClientSecret: yyyyyyyyyyyyyyyyyyyy-yy-yyyyyyyyyy

Inside B2C subscription (Linked to subscription 2)

  • Azure B2C: {myb2cdomain}.onmicrosoft.com
    • App Registration: LoginPortal Identity Experience
      • Client ID: aaaaaaaa-aaaa-aaa-aaaa-aaaaaaaaaaaa
      • ClientSecret: bbbbbbbbbbbbbbbb-bbbbb-bb.bbbbbbb-b
      • Redirect URI: https://jwt.ms
      • Enabled Access tokens
      • Enabled ID tokens
      • Supported account types: Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C.
      • Permissions: Microsoft Graph: offline_access, openid
      • Owners: me
    • Identity providers
      • Local account
      • OpenID Connect
    • Users
      • Added myself
    • User flows
      • B2C_1_susi
        • Identity providers: Local account, OpenID
        • User Attributes
          • Email Address
          • Given name
          • Surname

I hope anyone can give me some light here…

Update:
I tried to get some more light by using Fiddler. I can see:

  • GET https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/B2C_1_susi/v2.0/.well-known/openid-configuration HTTP/1.1

With a reponse containing:

{
  "issuer": "https://{myb2cdomain}.b2clogin.com/{b2c-id}/v2.0/",
  "authorization_endpoint": "https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/authorize",
  "token_endpoint": "https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/token",
  "end_session_endpoint": "https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/logout",
  "jwks_uri": "https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "idp",
    "sub",
    "tfp",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

GET https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/discovery/v2.0/keys

Containing

{
  "keys": [
    {"kid":"{id}","nbf":1111111111,"use":"sig","kty":"RSA","e":"AQAB","n":"{long-id}"}
  ]
}

GET
https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/authorize?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=https%3A%2F%2Flocalhost%3A5000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access%20&response_mode=form_post&nonce={long.string}&client_info=1&state={long.string2}&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0

The response in text unreadable… althrough when I set the response to XML, I do see some HTML here:

<html />
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Logging in...</title>
<meta name="CACHE-CONTROL" content="NO-CACHE" />
<meta name="PRAGMA" content="NO-CACHE" />
<meta name="EXPIRES" content="-1" />
</head>
<body>
<form id="auto" method="post" action="https://jwt.ms">
<div>
<input type="hidden" name="error" id="error" value="redirect_uri_mismatch" />
<input type="hidden" name="error_description" id="error_description" value="AADB2C90006: The redirect URI 'https://localhost:44316/signin-oidc' provided in the request is not registered for the client id 
...

Containing…
The redirect URI ‘https://localhost:44316/signin-oidc’ provided in the request is not registered for the client id.

Guess I’ll need to check the redirect URI’s…

.net coreazure active directoryazure ad b2cazure appservice

One Answer

Okay... it seems to be impossible to work locally with the redirect URL https://jwt.ms as redirect URL (or I simply do not know how. See also https://github.com/aspnet/Security/issues/1757).

The jwt.ms URL works great for testing the user flow, but not usable in production, as the appsetting value CallbackPath requires a relative path.

So... I added the Redirect URI in my B2C App registration to https://localhost:44316/signin-oidc, and.... tada! It works.

For now I added the CallBackPath to my appsettings.json, just to have it documentated.

"CallbackPath": "/signin-oidc" // Default value: /signin-oidc. If change, please edit or add the link into the B2C App Registration

And Ilet my code pick it up later

options.CallbackPath = AzureAdB2COptions.CallbackPath;

If you let both of these lines away, it does also work. As long as you specify /signin-oidc in the app registration redirect URI.

Sadly the error that occured wasn't showed easily to the end-user...

Answered by Bjorn on July 24, 2020

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP