azureadquickstarts / appmodelv2-webapp-openidconnect-dotnet Goto Github PK

Trying to understand why writing to Session with OpenId Connect disrupts the Sign In process.

For example, if I modify HomeController the way below, the SignIn stops working; By SignIn, it will redirect you to Azure AD and return to the Index unauthenticated.

public ActionResult Index()
{
    Session["TEST"] = "TEST"; // Let's make a SignIn disruption
    return View();
}

Removing the code during debug will not rectify the process, only if you restart the app.
Any solution or workaround?

We need to use Authorization Code Flow for existing ASP.Net Web Forms Application. We were trying to follow this sample.

This sample is using ResponseType - OpenIdConnectResponseType.CodeIdToken.

We were assuming that for using Authorization Code Flow, we need to use ResponseType Code, not CodeIdToken.

But if we change ResponseType to Code in UseOpenIdConnectAuthentication, we get following error:

AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 9bdf8e16-5395-4358-a21f-890631a05b00
Correlation ID: 7938070f-2b7b-4a17-898e-96184c770153
Timestamp: 2021-03-23 20:22:05Z

Also, In App Registration screen on Azure Portal, We have to select Access Tokens. I think that is not recommended for ASP.Net Web applications.

But If we deselect Access Tokens Option (as we don't want to use Implicit Flow), we get following error:

OpenIdConnectMessage.Error was not null, indicating an error. Error: 'unauthorized_client'. Error_Description (may be empty): 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.
Correlation ID: c9279b25-8857-414f-bf61-6e6ffcb10f5d
Timestamp: 2021-03-24 07:39:29Z
'. Error_Uri (may be empty): 'error_uri is null'.

Please suggest if we are missing some settings or configurations.

Can you please help with this error?

This application is running inside the Corporate network. I do have .NET 4.7.2 installed on my machine.

The Azure AD set is completed and web.config additions are done.

Hi,
We have received the below error while running this source.

Error: IDX21323: RequireNonce is 'System.Boolean'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

Kindly let us know if anything to be added in startup.cs page.

Thank you in advance.

One of the links is pointing to a review link for content on docs.ms.

My production server is behind revert proxy. I'm already whitelisted login.microsoftonline.com:443.It redirect to MS login page but cannot login.
I've checked the firewall, show that some IP did not match. What URLs do I have to whitelist more?

Connecting to Azure AD I get a name claim type back not a http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name claim type. The User.Identity.Name is then null. I realize that the example is meant to be kept simple but was wondering if this is intentional?

Hi. This demo is currently using the OIDC 'implicit flow', which is no longer recommended by the IETF. As such it would be good to get the demo changed to use the OIDC 'Authorization code flow' instead.

From:

https://oauth.net/2/grant-types/implicit/

The Implicit flow was a simplified OAuth flow previously recommended for native apps and JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

Public clients such as native apps and JavaScript apps should now use the authorization code flow with the PKCE extension instead.

The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the authorization code flow with PKCE instead.

That is, the 'implicit flow' was designed to be used by client side (i.e. browser) single page apps (SPAs) that are hosted on a lightweight/dumb web server, i.e. hosting the app as static content only.

In the ASP.NET integration with OIDC, the server takes part in the authorization flow, and can therefore implement the more secure 'authorization code flow'. See:

https://oauth.net/2/grant-types/authorization-code/

In this mode, the identity provider (IdP) returns a simple 'authorization code' to the browser (instead of an access token), the browser passes this to the ASP.NET server, which then redeems it for an access token - in this final step the server supplies a client secret known only to the server and IdP, thus adding an extra level of security.

Here is a demo app that appears to be using authorization code flow:

• forms45-oidc-sample

E.g. in Startup.cs it does:

  ResponseType = OpenIdConnectResponseType.CodeIdToken,

Instead of

  ResponseType = OpenIdConnectResponseType.IdToken,

AADSTS700016: Application with identifier 'Enter_the_Application_Id_here' was not found in the directory 'abc '. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

downloaded sample code and added tenant and client id in configuration and cross checked consented with AD admin user as well, all seems correct according to documentation but still getting this error.

Compiled, configured, and ran sample. Trying to sign in with a Microsoft (personal) Account and the flow ends up in this error from login.live.com:
error=unsupported_response_type
error_description=The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'.

It seems like the OpenID Connect flow isn't supported for Microsofts (personal) accounts?

I see using Microsoft.Owin.Security.OpenIdConnect configure AAD auth in readme.

but in the real startup.cs it using Microsoft.Identity.Web library:

I'm wondering which library should I use in .net framework? I need to integrate with Graph API also.

The commit on April 16, 2023 blew up the repo. The instant indication was that all of the authentication config values in web.config (ClientId, Tenant, etc.) disappear in this checkin and an anomalous appsettings.json appears. The most current release does not work. The commit comments also begin to talk about Graph, which was not needed or mentioned in the app prior to April 16. I did see that some of the intermediate readme files after April 16 seem to be talking about the changes, but the current readme does not mention it. Reverting to the release before April 16 works fine.

Maybe it got mixed up with https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect that does specifically talk about using Graph?

Sorry for opening an issue in here.
As I could not open it outside a repo (or at least that I know) I created here.

So, on the main page there's this broken link and in addition, is not verified neither as it happens with Azure Samples.
Again, sorry for opening an issue here but I couldn't find a better way.

Sign in/sign out work normally in regular app.
Sign out does not work in azure webapp. I have set the redirect url in web.config and Front-channel logout URL to various versions of:
https://MY_WEBAPP_NAME.azurewebsites.net/ and https://MY_WEBAPP_NAME.azurewebsites.net/signout-oidc/

it worked when it was running locally on localhost, but not online.

Maybe I'm doing something wrong, but the instructions are not clear. Thanks.

Hello there,

is this sample compatible with Azure AD B2C ?