An ASP.NET Core Web App which lets sign-in users (including in your org, many orgs, orgs + personal accounts, sovereign clouds) and call Web APIs (including Microsoft Graph)
- [x] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
The issue was found for the following scenario:
Please add an 'x' for the scenario(s) where you found an issue
At “Creating the client web app (TodoListClient)”: The list starts with “option 2”, without any other options presented. Seems like it could be deleted.
At “Add a model (TodoListItem) and add the controller and views”: Item 7 seems like a duplicate of item 5 in the previous list.
At “Creating the Web API project (TodoListService) > Modify the startup.cs … > Step 2” we add the line “.AddProtectedApiCallsWebApis(Configuration, new string[] { Configuration["TodoList:TodoListScope"] }). But nowhere is "TodoList:TodoListScope" configured for the TodoListService.
I think a description of the purpose of “AddProtectedApiCallsWebApis” would be beneficial, much like it is for AddProtectWebApiWithMicrosoftIdentityPlatformV2. When I first read the guide, I believed that the purpose of AddProtectedApiCallsWebApis was to assert that callers had access to the given scope.
Then the (possible) bug part
Even if the "TodoList:TodoListScope" is added to the service, I get and exception when navigating to the todolist in the client, which seems to indicate that the TodoListService should have a clientSecret configuration, or that AddProtectedApiCallsWebApis is doing something it should not.
Lastly, the TodoListService is configured with both AddProtectWebApiWithMicrosoftIdentityPlatformV2 and AddProtectedApiCallsWebApis. Both of these set JwtBearerOptions.Events.OnTokenValidated, of which the last overrides the first. Is this intended?
Modify appsettings.json with your app registration data as shown in step 2 of the mentioned tutorial
Put a link with 'href="/AzureAD/Account/SignIn"' in any of the *.razor component files, to simulate navigation.
Run the sample and try to navigate the SignIn link.
The navigation with fail with blank page and you will observe the following error in Output window in Visual Studio:
System.InvalidOperationException: 'Router' cannot find any component with a route for '/AzureAD/Account/SignIn', and no fallback is defined.
at Microsoft.AspNetCore.Components.Routing.Router.Refresh() ...
Expected behavior
It should be possible to navigate to 'AzureAd/Account/SignIn' and 'AzureAd/Account/SignOut' from within Razor Components web application.
Additional context
The sample was working correctly in Razor Components Preview 2 application.
The routing breaks after updating the sample to ASP.NET Core 3.0 Preview 3, especially replacing
// Since IdentityModel version 5.2.1 (or since Microsoft.AspNetCore.Authentication.JwtBearer version 2.2.0),
// PII hiding in log files is enabled by default for GDPR concerns.
// For debugging/development purposes, one can enable additional detail in exceptions by setting IdentityModelEventSource.ShowPII to true.
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
```
2. put breakpoints in the `JwtODICMiddlewareDiagnostics` class (or the `OJWTMiddlewareDiagnostics` class in the Web API)
```CSharp
// If you want to debug, or just understand the JwtBearer events, uncomment the following line of code
options.Events = JwtBearerMiddlewareDiagnostics.Subscribe(options.Events);
```
- [ ] bug report -> please search issues before submitting
- [ x] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
Any log messages given by the failure
Expected/desired behavior
OS and Version?
Windows 10
Versions
Mention any other details that might be useful
So I would like to scaffold the AccountController to be able to check if the logged user through Azure AD exists in my local database and create it if not. I woulk like to integrate my local user database with Azure AD. Thanks!
- [ ] bug report -> please search issues before submitting
- [X ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
When I try change in the project the URL redirect in Application Registration Portal. I Receive Error don't match the URL Redirect.
Any log messages given by the failure
The text of the message is the next= "Message: AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '...'."
Expected/desired behavior
I have My project but I need integrate this with Microsoft Authentication.
OS and Version?
Windows 10
Versions
Enterprise
Mention any other details that might be useful
I was working with Visual Studio 2017 and .Net Core 2.0
Thanks! We'll be in touch soon.
I'm working through the example and receive the following when running. I updated the TenantID, ClientID, and Domain to match the example tenant. I'm working behind a corporate http proxy , could this be related or should I look elsewhere? If so, is there a way to set proxy flags in this example
After hosting the given sample code by configuring the AAD, the normal authentication flow is working fine, when we type the URL in the browser window directly.
But, When we open the application URL from the Microsoft Word, getting the exception: Correlation failed.
Below are the steps to reproduce the issue:
Copy and paste the sample code hosted URL in the Microsoft Word.
Next, click on the URL from Microsoft Word, then, we are getting the below exception on the AAD authentication.
Raw Exception Details:
System.Exception: Correlation failed.
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Session.SessionMiddleware.d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.AspNetCore.Session.SessionMiddleware.d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.d__7.MoveNext()
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
Any log messages given by the failure
Expected/desired behavior
OS and Version?
Any
Versions
Any
Mention any other details that might be useful
For me it is absolutely unclear how to implement APIs right now. Right know I would say the documentation is a big pain for me.
Our scenario is an internal single page application. This SPA communicates with different internal ASP.NET Core APIs.
So we only have internal users and we only have internal applications. We dont need any challenge to ask the user for consent.
We already spent over two weeks in the documentation and in samples. We found a lot of obsolete stuff in the docs, referenced to archived GitHub repos and samples with obsolete NuGet Packages.
At the end my question is still: what is the correct configuration of an internal API-based system, without consent? :-)
We dont want so show 17 consents because we have 17 applications to internal users.
I also tried to migrate this sample into a API.
But I always run into the event OnRedirectToIdentityProvider, but I dont know why.
if(issuerValidators.ContainsKey(aadAuthority))
Will always be false because aadAuthority is the full Uri path and not just the host. Assuming the issuer should be unique based on the full Uri path the Key should contain the full Uri path when calling: issuerValidators.Add(authority, issuerValidator);
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
The issue was found for the following scenario:
Please add an 'x' for the scenario(s) where you found an issue
Click on the link in this paragraph:
"This is the fifth chapter of a set of tutorials. Once you understand how to receive the group memberships in a user's claims, you can try the sample Add authorization using app roles & roles claims to an ASP.NET Core Web app thats signs-in users with the Microsoft identity platform to learn about how to use the App roles in an app using the Microsoft Identity Platform to authenticate users."
- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [x] regression (a behavior that used to work and stopped in a new release)
The issue was found for the following scenario:
Please add an 'x' for the scenario(s) where you found an issue
Login with a user with many groups (in my case 120 including nested groups)
(Cookie 6 chunks #toomany)
Any log messages given by the failure
Connection is not secure after logging in and being redirect to the site.
Expected/desired behavior
When the groups claims are to large for the header they should be removed.
I don't know if this should be done in AzureAD or in the Microsoft.Idenitity.Client or Microsoft.Identity.Web.
In previous situations there was a claim with the value getMemberObjects when the user had too many groups. In this situation you should get the groups trough the Graph API.
- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Download active-directory-dotnet-webapp-openidconnect-aspnetcore
Change Domain,TenantId & ClientId in appsettings.json
Run application = Works
Download active-directory-aspnetcore-webapp-openidconnect-v2-aspnetcore2-2
Change Domain,TenantId & ClientId in appsettings.json
Run application = Fails
Any log messages given by the failure
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '9999999-9999-9999-9999-999999999999'.
- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
I have this project working fine locally without any changes. However, I'm trying to host this application in an AKS cluster, and after logging in i'm getting an error. I've tried added any URLs i could think of to the redirect URL, but none are working.
Any log messages given by the failure
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application
Expected/desired behavior
Login and redirect to home page as is done locally
OS and Version?
Windows 10 - Azure AKS
Versions
Mention any other details that might be useful
I was trying to use this to authenticate users into my application when hosted in AKS. Is there a better practice?
I'm not able to capture the request_url via network traffic. But it appears the base url is http and not https. I'm unable to add http urls to app reply urls
- [ X ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
If I restart my app service I can log in just fine. Over time though when I visit the website I'm prompted for my credentials, I authenticate, then the page redirects back and forth between the 'authorize' endpoint at login.microsoftonline.com and my own signin-oidc endpoint. It does this for about 1 minute then stops.
Any log messages given by the failure
No log messages that I can see at all other than when the login loop times out (after 1 minute) I get "We couldn't sign you in".
Expected/desired behavior
OS and Version?
Windows 10 dev machine. Remote server is running in Azure under an app service plan.
The instructions provided in the landing page do not match the current UI for the Azure Portal. For example, step 5:
In the list of pages for the app, select Authentication.
In the Redirect URIs, add a redirect URL of type Web and valued https://localhost:44321/signin-oidc
In the Advanced settings section set Logout URL to https://localhost:44321/signout-oidc
In the Advanced settings | Implicit grant section, check ID tokens as this sample requires the Implicit grant flow to be enabled to sign-in the user.
There is a Redirect URI section, I think, but it's called Reply URLs, and the interface does not match the description there, either.
This ongoing disconnect between the state of the released Azure Portal and virtually all of GitHub and Microsoft documentation is both annoying and disturbing. Annoying because it makes the learning curve much steeper than it should be, and disturbing because it smacks of an approach to software development that has abandoned even a reasonable degree of quality control. Frankly, the level of disconnect in evidence is far higher than almost any other open source code base I deal with...and I had sort of hoped that Microsoft, and Microsoft-led projects, would demonstrate a commitment in these areas higher than the norm, not below it.
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
Any log messages given by the failure
Expected/desired behavior
two questions:
Where is the "AccountController" with Area "AzureAd" and "SignOut"; how do we change the logout path?
OS and Version?
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
We are getting this error ": No account or login hint was passed to the AcquireTokenSilent call
when calling var users = await graphClient.Users.Request().GetAsync();
Error Details :
at Microsoft.Identity.Client.AcquireTokenSilentParameterBuilder.Validate()
at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder1.ValidateAndCalculateApiId() at Microsoft.Identity.Client.AbstractClientAppBaseAcquireTokenParameterBuilder1.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder1.ExecuteAsync() at Microsoft.Identity.Web.Client.TokenAcquisition.GetAccessTokenOnBehalfOfUser(IConfidentialClientApplication application, String accountIdentifier, IEnumerable1 scopes, String loginHint, String tenant) in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\Microsoft.Identity.Web\Client\TokenAcquisition.cs:line 372
at Microsoft.Identity.Web.Client.TokenAcquisition.GetAccessTokenOnBehalfOfUser(IConfidentialClientApplication application, ClaimsPrincipal claimsPrincipal, IEnumerable1 scopes, String tenant) in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\Microsoft.Identity.Web\Client\TokenAcquisition.cs:line 342 at Microsoft.Identity.Web.Client.TokenAcquisition.GetAccessTokenOnBehalfOfUser(HttpContext context, IEnumerable1 scopes, String tenant) in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\Microsoft.Identity.Web\Client\TokenAcquisition.cs:line 180
at WebApp_OpenIDConnect_DotNet.Controllers.HomeController.<>c__DisplayClass5_0.<b__0>d.MoveNext() in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\5-WebApp-AuthZ\5-1-Roles\Controllers\HomeController.cs:line 63
--- End of stack trace from previous location where exception was thrown ---
at WebApp_OpenIDConnect_DotNet.Services.CustomAuthenticationProvider.AuthenticateRequestAsync(HttpRequestMessage request) in D:\dev\Demo\microsoft-identity-platform-aspnetcore-webapp-tutorial\5-WebApp-AuthZ\5-1-Roles\Services\GraphServiceClientFactory.cs:line 30
at Microsoft.Graph.AuthenticationHandler.SendAsync(HttpRequestMessage httpRequestMessage, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at Microsoft.Graph.HttpProvider.SendRequestAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
Please provide us with the following information:
This issue is for a: (mark with an x)
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
The issue was found for the following scenario:
Please add an 'x' for the scenario(s) where you found an issue
Add any other context about the problem here, such as logs.
You can enable Middleware diagnostics by uncommenting the following lines
You can enable personally identifiable information in your exceptions to get more information in the open id connect middleware see Seeing [PII is hidden] in log messages
Is it possible to detect if an account is sovereign, and then redirect the URL/host to a node that is running in the same environment?
E.g. If my global server is "GlobalRelyingParty.com", and I have something deployed in "GermanyRelyingParty.com", then I would 302 redirect (or something) to that instance. Similar behavior would occur in the opposite direction for a global user who mistakenly uses the Germany(perhaps default) provider.
It seems to be similar to the discovery process used for LiveID -vs- AAD, where there is a background JSON lookup that occurs in the MSAL login flow
Need admin approval
ADPdaSsoWebApp
ADPdaSsoWebApp needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
Why do I need admin to grant access? Is there a way around?
When logging out of the web app, I'm still getting the account selection screen even though the login_hint parameter is in the URL with the correct value. How do I skip the account selection screen and log out right away?
I apologize for asking this here, but I've been struggling with this for quite a while and have asked on StackOverflow and have gotten nowhere :(
I have a question related to the cacheprovider implementations and scopes.
The sample library includes a number of XXXTokenCacheProvider implementations, e.g., MSALAppSqlTokenCacheProvider. None of these consider scopes when defining a cache key, and I have been wondering if that is the intended "MSAL-way" of doing it.
Consider this case:
I would like for my Web App to access two different APIs using the on-behalf-of flow.
To this end, I acquire an access token for the first API using scope "A" via ITokenAcquisition.GetAccessTokenOnBehalfOfUser, caching it in the process. Then, I acquire an access token for the second API using scope "B", again using ITokenAcquisition.GetAccessTokenOnBehalfOfUser but with the new scope. This results in a cache-hit returning the old token for scope "A" ... which I expect would result in an error if sent to the second API.
I realize that we pass the scope along when invoking GetAccessTokenOnBehalfOfUser , which means it would be possible to compare scopes in the request and the cached token, and get a new token in case the existing token lack some of them. However, I cannot find such a comparison anywhere in Microsoft.Identity.Web nor in Microsoft.Identity.Client.
The question then is this: How is the situation above resolved, such that the second token contains the second scope? It will accept "somewhere in Microsoft.Identity.Client" as an answer :)
I also realize that I could request both scopes initially, but the use case detailed above should be supported, right?
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
Execute the following command: dotnet new mvc --auth SingleOrg --client-id <client_id>
Any log messages given by the failure
No failure, but there is no Extensions\AzureAdAuthenticationBuilderExtensions.cs file.
Expected/desired behavior
There should be instructions that guide us through the installation with the latest framework
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
Configuring per the documentation causes a localhost debug run to fail during authentication
Any log messages given by the failure
Expected/desired behavior
OS and Version?
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
Versions
Mention any other details that might be useful
The README.md under the section "Step 1: Register the sample with your Azure AD tenant" states port 5000. The actual configuration in Properties/launchSettings.json is using port 3110.
I considered making the change and creating a PR, but didn't know which port number you would like to use. Let me know and I can make this change.
How about showing us how you created the Visual Studio Solution itself or am I missing something? What the community really needs is an example that demonstrates how to create an Web Application in Visual studio and get it to authenticate with oAuth, then finally adding RBAC to that sample application as well. Downloading an already created Web Application = "magic " in order to make this stuff work
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
I'm looking to extend this behavior to call a web API i created and hosted in azure. You allude to how this can be done, but what i've done is not working. Could you provide a guide on how to do that? I've created a default web api that is protected to my organization. It has an exposed scope. I gave access for this application to call the API with a secret key. I tried updating the scope to be the same as the exposed api, but i'm getting errors that my scope is invalid. I expected after granting access to the API, i would get another accept permission dialog
Any log messages given by the failure
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope user_impersonation openid offline_access profile is not valid. The scope format is invalid. Scope must be in a valid URI form https://example/scope or a valid Guid <guid/scope>.
Expected/desired behavior
Able to call a protected web api
OS and Version?
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
- [ ] bug report -> please search issues before submitting
- [ x ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
It's about adding a phase 1.5 to the tutorial to show how to sign-in users with social identities or local identities with Azure AD B2C
In the library, add a StartupB2Helper.cs file containing a StartupB2CHelpers class similar to StartupHelpers providing the method public static IServiceCollection AddAzureAdB2CAuthentication(this IServiceCollection services, IConfiguration configuration) which would:
- [X] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
application.GetAccountAsync(accountIdentifier) returns null and as such a MsalException is thrown saying that the account cannot be null when calling AcquireTokenSilentAsync
- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
The issue was found for the following scenario:
Please add an 'x' for the scenario(s) where you found an issue
It appears that token caches are never cleared entirely. I have marked this issue as related to 2-1-Call-MSGraph, but the issue is really with the token caches in general (2-1 is just the first using a cache) or perhaps TokenAcquisition.
However, app.RemoveAsync results in UserTokenCacheAfterAccessNotification being invoked with correct AccountId but an almost empty token cache, resulting in the token cache being persisted again with a useless token!?
Repro steps
Simply run 2-1 with breakpoint in Clear and UserTokenCacheAfterAccessNotification, and then log out.
Expected behavior
Tokens are deleted on logout
Actual behavior
(nearly) Empty token remains
Possible Solution
I believe the two method should be invoked in reverse order, or we need some way to identify these "empty" tokens in the cache providers, so that we can avoid persisting them.
- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
Change the appsetttings.json to set tenantId to a GUID (to have a tenanted authority). This only reproes with a single tenant app
sign-in to the app with a guest user
try to call Contact
Any log messages given by the failure
There is an infinite loop
Expected/desired behavior
you can see the information about the signed-in user
OS and Version?
Chrome
Versions
Mention any other details that might be useful
When calling the controller, the cache is empty. This is because the cache is keyed by the MSAL.id, and the computation of the MSAL.id is not right in the case of a guest user (tid and iod are the guest ones, not the home tenant information).
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
run multiorg dotnet CLI command to generate project.
Any log messages given by the failure
Creates wrong appsettings.json
Expected/desired behavior
Should use multiorg.
OS and Version?
Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
N/A
- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
When trying to authenticate via an app that is not multitenant, and which in my case restricts the users that can sign in to only one tenant (which I specified already as TenantId in the appsettings.json) an MsalException is thrown.
Any log messages given by the failure
AADSTS50194: Application '[GUID]' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
Trace ID: 4a7a6b33-61b6-45fa-a3db-eb7cc3660f00
Correlation ID: d5b01030-e720-4331-ad42-45602ca6a74c
Timestamp: 2018-12-08 12:53:39Z
Expected/desired behavior
This should work without any hickups since the appsettings.json file was configured correctly and the code seems to be correct.
OS and Version?
Windows 10
Versions
Branch aspnetcore2-2-signInAndCallGraph
Mention any other details that might be useful
Looking closer into the code, it seems that the ConfidentialClientApplication instance created in TokenAcquisition.cs line 117 does not take into account the possibility that the Authority parameter might be different than the [common] value. If taken into consideration (using appsettings.json Instance+TenantId value) the error will not appear.
- [X] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
The issue was found for the following scenario:
Please add an 'x' for the scenario(s) where you found an issue
Hello, i'm here to seek help about a problem I Have with an 1-WebApp-OIDC/1-1-MyOrg derivated application. I try to execute it on a server behind a reverse proxy.
The reverse proxy listen HTTPS request but forward the request to the app as HTTP, so when the app try to call azure API it have http://example.com in request_uri parameter instead of https://example.com, so I have the error message "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application".
As you know, we can't set an HTTP domain in AzureAD reply URLs.
I tried to force https by writing request.scheme or editing Microsoft.Identity.Web/Client/TokenAcquisition.cs line 269 by forcing https; but neither works.
This is more of a suggestion. I'm pretty sure I'm not the only one who would appreciate if the reusable library project Microsoft.Identity.Web was available as a NuGet package.
That way we can easily keep up with any updates/fixes that you do!
Thank you for considering this!
- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
Follow all steps to register the app provided in Azure QuickStart.
Try to login with safari and chrome from iphone results in a infinite loop.
- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
checkout the aspnetcore2-2-signInAndCallGraph branch
perform necessary app registration steps
deploy to an IIS host
login with >= 2 people AzureAD users, the app stops working and/or we get a "400 error: Headers too large" on the client.
Any log messages given by the failure
Expected/desired behavior
app works no matter how many people login
the cookie size does not increase based on the number of people logged in
OS and Version?
Windows 10 / Azure App Service (as of 11/12/2018)
.NET Core 2.1.403
Versions
aspnetcore2-2-signInAndCallGraph (as of 11/12/2018)
Mention any other details that might be useful
Decoding the cookie and printing it on the web browser console, it looks like the server is accidentally using the cookie as the store for the TokenCache. For example, when the second person logs in, and I decode their cookie, I find both users' latest tokens in the JSON graph in the cookie.
Furthermore, when this happens, and the cookies in the header are not too large, IIS seems to see that something is amiss and will not serve the page and not give an error. (Are the cookies being encrypted or tracked with infor from the current user?)
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [w ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
The issue was found for the following scenario:
all
Repro-ing the issue
Repro steps
Open one of the sub-folders of the ASP.NET Core tutorial
Observe that the name of all the solutions is the same
Run the App creation scripts
Observe that they create the same app, and therefore there are collision
Expected behavior
Each Visual Studio solution, and each application as generated by the app creation scripts should have its own name, so that customers can switched from one to the other
Actual behavior
Observe that the name of all the solutions is the same
Observe that the name of all the solutions is the same
Possible Solution
Have a solution name and app name after the name of the folder
I am developing .net core 2.2 application. I would like to get the user's first name in the _LoginPartial.cshtml in RAZOR web app. I am able to get the user's surname and email but not the first name. Is there away to get this?
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
The issue was found for the following scenario:
Please add an 'x' for the scenario(s) where you found an issue
#Your build pipeline references an undefined variable named ‘Parameters.solution’. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab. See https://go.microsoft.com/fwlink/?linkid=865972
#Your build pipeline references the ‘BuildPlatform’ variable, which you’ve selected to be settable at queue time. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab, and then select the option to make it settable at queue time. See https://go.microsoft.com/fwlink/?linkid=865971
#Your build pipeline references the ‘BuildConfiguration’ variable, which you’ve selected to be settable at queue time. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab, and then select the option to make it settable at queue time. See https://go.microsoft.com/fwlink/?linkid=865971