search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
671 stars 208 forks source link

[Bug] ClaimsIdentity on gRPC app not being filled after JWT token validated and completing IDX10245 #2953

Open OnlyOnePro opened 1 month ago

OnlyOnePro commented 1 month ago

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

3.0.1

Web app

Sign-in users and call web APIs

Web API

Protected web APIs (validating tokens)

Token cache serialization

Not Applicable

Description

Service is a gRPC service written in ASP.NET Core 8.0. The service receives tokens from an Angular SPA application that manages all the token obtention logic. We tried to use Microsoft.Identity.Web to fulfill both the Authentication and the Authorization pipelines in the app. The token emitting entity is Azure Active Directory (now Microsoft Entra ID).

The token is valid and successfully retrieved from the front-channel app, but when that token is used to communicate with the gRPC application the entire authentication pipeline succeeds and the token is valid, but the HttpContext.ClaimsPrincipal property is not populated (is marked as IsAuthenticated = false), thus failing with the gRPC error code 16 for not authorized when the [Authorize] decorator is used on the service class.

Reproduction steps

  1. Scaffold a basic gRPC service using dotnet new or the Visual Studio template selector.
  2. Add the code snippets for the files required.
  3. Configure a front-channel app in Azure AD and an api app for the service
  4. Get a token with the front-channel app and use that token with Postman or whatever other service to call the protected API.
  5. Check the empty claims in the debugger

Error message

info: Microsoft.Hosting.Lifetime[14]
      Now listening on: https://localhost:7041
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://localhost:5110
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: Z:\Repos\Cafler.Greenfield\Api\Internal\Cafler.Api.Product.Internal
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      Microsoft.IdentityModel Version: 8.0.1.0. Date 07/24/2024 23:15:03. PII logging is OFF. See https://aka.ms/IdentityModel/PII for details.
      IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10242: Security token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10237: ValidateIssuerSigningKey property on ValidationParameters is set to false. Exiting without validating the issuer signing key.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10234: Audience Validated.Audience: '1649588b-cd93-42f9-bbb4-d8db8ce706d8'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10246: ValidateTokenReplay property on ValidationParameters is set to false. Exiting without validating the token replay.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10255: TypeValidator property on ValidationParameters is null and ValidTypes is either null or empty. Exiting without validating the token type.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10245: Creating claims identity from the validated token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Grpc.AspNetCore.Server.ServerCallHandler[10]
      Reading message.

Id Web logs

No response

Relevant code snippets

Appsettings.json file config segment:

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "your-domain.com",
    "TenantId": "common",
    "ClientId": your-client-id,
    "ClientSecret": a-client-secret,
    "ClientCapabilities": [ "cp1" ]
  },

Program.cs

        public static void Main(string[] args)
        {
            WebApplicationBuilder builder = WebApplication.CreateBuilder(args);

            builder.Services.AddApplicationInsightsTelemetry(config =>
            {
                config.ConnectionString = Environment.GetEnvironmentVariable("APPLICATIONINSIGHTS_CONNECTION_STRING");
            });
            builder.Services.AddGrpc();
            //builder.Services.AddHttpContextAccessor();
            //builder.Services.AddHttpClient();

            // Add services to the container.
                        // Business services injection removed
                        services
                .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(configuration.GetSection(DirectoryConfigsKeyName));
            services.AddAuthorization();
            // Mediatr config removed

            if (builder.Environment.IsDevelopment())
            {
                builder.Services.AddGrpcReflection();
            }

            WebApplication app = builder.Build();

            // Configure the HTTP request pipeline.
            if (app.Environment.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.MapGrpcReflectionService();
            }

            app.UseRouting();

            app.UseAuthentication();
            app.UseAuthorization();
                        // gRPC mappings removed
            app.MapGrpcHealthChecksService();

            app.Run();
        }


### Regression

_No response_

### Expected behavior

We expect the library to fill out the ClaimsIdentity property as intended and demonstrated in the official documentation.
OnlyOnePro commented 1 month ago

Hi, any news on this ticket's status?