search

Azure-Samples / active-directory-aspnetcore-webapp-openidconnect-v2

An ASP.NET Core Web App which lets sign-in users (including in your org, many orgs, orgs + personal accounts, sovereign clouds) and call Web APIs (including Microsoft Graph)
MIT License
1.37k stars 983 forks source link

Error when redirecting to Graph API deployed to Azure Web Apps #741

Closed YHgitaccount closed 9 months ago

YHgitaccount commented 10 months ago

Microsoft.Identity.Web version

2.13.0

Web app sign-in

1-WebApp-OIDC/1-1-MyOrg

Web API (call Graph or downstream APIs)

2-WebApp-graph-user/2-1-Call-MSGraph

Deploy to Azure

5-WebApp-AuthZ/5-1-Roles

Auth Z

6-Deploy-to-Azure

Description

I am using the 2-1-CallMSGraph sample, but I am getting errors about redirects. As a prerequisite, local sign-in worked fine. This time, we are planning to configure the app to redirect and access https:.azurewebsites.net/xxx/signin-oidc to sign in and get Azure AD information. Therefore, we have made the following changes to the AzureAd property in the appsetting.json file.

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",.
    "Domain": "<MyDomain>",.
    "ClientId": "<MyCrientId>", { "ClientId".

    "RedirectUri": "https://<MyAppName>.azurewebsites.net/xxx/signin-oidc", "RedirectUri". 
    "ClientCertificates": [
    ],.
    // the following is required to handle Continuous Access Evaluation challenges
    "ClientCapabilities": [ "cp1" ], "CallbackPath": [ ], //the following is required to handle Continuous Access Evaluation challenges
    //"CallbackPath": ""
  }, }
"DownstreamApi": {
    "BaseUrl": "https://graph.microsoft.com/v1.0", }, "DownstreamApi": {
    "Scopes": "user.read"
  }

Also, for Azure app authentication settings, as a redirect URI, https:.azurewebsites.net/xxx/signin-oidc is registered.

Assuming the above, we deployed to Azure Web Apps. However, when I access the app, I get the following error Error AADSTS50011 - The redirect URI "https:.azurewebsites.net/signin-oidc" specified in the request does not match the redirect URIs Make sure the redirect URI was sent. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

Despite changing the redirect URI setting, the URI does not seem to match, as it is coming from https:.azurewebsites.net/signin-oidc.

https://learn.microsoft.com/ja-jp/troubleshoot/azure/active-directory/error-code-aadsts50011-redirect-uri-mismatch I referred to the above and it says to set the redirect URI in Azure App Authentication, but I don't know why as I have already registered it.

Where in the source code or in the configuration file should I change the URI to https:.azurewebsites.net/xxx/signin-oidc instead of https:.azurewebsites.net/signin-oidc? in the source code or in the configuration file?

Translated with www.DeepL.com/Translator (free version)

Reproduction steps

  1. download samples
  2. redirect URI setting for Azure AD app
  3. modify appsettings.json
  4. deploy to Azure WebApps
  5. accessing the app

Error message

Error AADSTS50011 - The redirect URI "https:.azurewebsites.net/signin-oidc" specified in the request does not match the redirect URIs configured for the application . Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

Id Web logs

No response

Relevant code snippets

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph

Regression

No response

Expected behavior

The ability to sign in without error when accessing https:.azurewebsites.net/xxx/signin-oidc.

jmprieur commented 10 months ago

@YHgitaccount :

  1. Don't change the redirect URI in the appsettings.json. The app knows already
  2. did you read this article? https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/6-Deploy-to-Azure
YHgitaccount commented 10 months ago

@jmprieur

Thanks for your response.

Regarding 1, In the "Update the redirect URLs" section of the reference link you commented on, there is the following statement: 5.

  1. "If your application calls a web api, make sure to apply the necessary changes on the project appsettings.json, so it calls the published API URL instead of localhost." I am aware that I need to change the URL to include the domain name of the Web Apps, is that correct?

Also, follow the "Update the redirect URLs" section of the same link, Add "https://.azurewebsites.net" to the Redirect URL for the Azre AD app, redirect_error

I registered the following two

However, the situation did not change, so I checked the stack and races in developer mode and received the following error image

Where else would be appropriate to check? We would appreciate your comments as we are very troubled.

Translated with www.DeepL.com/Translator (free version)

YHgitaccount commented 9 months ago

Here, I solved the problem by changing the root path in the application settings.