IdentityServer CorsPolicyService blocking POST request from external Microsoft login origin.

[ranchoebuka]

Which version of Duende IdentityServer are you using? I am currently using version 7.0.1 and the company I work for has Business Edition License.

Which version of .NET are you using? net8.0-windows

Describe the bug I set up OpenIdConnect middleware to authenticate against external providers.I registered a client application in Microsoft Entra ID and I have two redirect URIs one is pointing to my localhost while the other one points to azure app service where I deployed my asp.net core web application hosting duende IdentityServer. When I tried it in my local development environment (localhost) to authenticate against Microsoft Entra ID, everything works fine. It redirects back to my external page callback.

But when I tried against the one I deployed in azure app service, It doesn't redirect back to the external callback. I checked the log and I saw error warning about CORS configuration. I used the instruction on this page [https://identityserver4.readthedocs.io/en/latest/topics/cors.html#custom-cors-policy-service] to setup my default ICorsPolicyService and after trying again, it still failed to redirect pack to the external callback page.

A clear and concise description of what the bug is. In my production environment in Azure app service, Authenticating against Microsoft Entra ID failed to redirect back to my web application. Meanwhile, the Google authentication works fine both in my local and production environment. The only difference between these two set ups is that I used AddOpenIdConnect middleware for Microsoft authentication setup while I use AddGoogle middleware for google authentication setup

To Reproduce Expected behavior

A clear and concise description of what you expected to happen.

I expect both the Microsoft and Google authentication to work both in development and production.

Log output/exception with stacktrace

2024-04-05 15:15:59.929 +00:00 [INF] Showing login: User is not authenticated 2024-04-05 15:15:59.932 +00:00 [INF] HTTP GET /connect/authorize responded 302 in 180.2171 ms 2024-04-05 15:16:00.044 +00:00 [DBG] AuthenticationScheme: idsrv was not authenticated. 2024-04-05 15:16:00.046 +00:00 [DBG] AuthenticationScheme: idsrv was not authenticated. 2024-04-05 15:16:00.067 +00:00 [DBG] AuthenticationScheme: idsrv was not authenticated. 2024-04-05 15:16:00.077 +00:00 [DBG] Start authorize request protocol validation 2024-04-05 15:16:00.085 +00:00 [DBG] Checking for PKCE parameters 2024-04-05 15:16:00.095 +00:00 [DBG] Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator 2024-04-05 15:16:00.116 +00:00 [INF] HTTP GET /Account/Login responded 200 in 81.1535 ms 2024-04-05 15:17:42.527 +00:00 [DBG] AuthenticationScheme: idsrv was not authenticated. 2024-04-05 15:17:42.530 +00:00 [DBG] AuthenticationScheme: idsrv was not authenticated. 2024-04-05 15:17:42.547 +00:00 [DBG] Challenge Page Called by 4/5/2024 3:17:42 PM 2024-04-05 15:17:42.549 +00:00 [DBG] HandleChallenge with Location: https://login.microsoftonline.com/76160e53-9ee0-419f-bcec-bcb05f0fa637/oauth2/v2.0/authorize?client_id=67c56ec5-c9e0-49a4-baab-17973622d54e&redirect_uri=https%3A%2F%2Fidentityservert1.azurewebsites.net%2Fsignin-oidc&response_type=code&scope=openid%20profile%20email%20offline_access&code_challenge=wCDbVaWDPEf6notNuR-5Doh6tk9I9v0pAdVxhDtAmJ0&code_challenge_method=S256&response_mode=form_post&nonce=638479270625494006.Y2NjYzcyYjctMjE4Zi00NDJmLWE2YmItZjdjMDQyY2QyZTBlZTA1MjkwNTAtZDNjMS00YzE0LWI1MTQtYWYwYjEzYTg3OWM3&state=CfDJ8ADkrI6A5k9IjWDmADcXyQptuU3K_LmaaHEYCYnMNoHD8QNRPj49Pbuq_FSp1xUlj6Mq5-t94yVkmRzOv_hPk0UakV7sPa9yXx5MvxQNnuAR4_wqqF6MsCGeqcVeELsNCTYBFMNHZ9S18nMOsfFaJfg90Q0hlrS8kdwivaha5e-0DQLH6zpHevRsEEG-ZMno1QdMEg1yh8aoW4nSi1XdHOk-Ggao01OVvgyvagtUVyVx3CMhjv1Wy8MFzx3Ah_OYkk0FQw1xS3f80hXzccMvRc0vgwCwTLEOpHK9oUfyJu04AN1AC6rzzXLHN8X-BixYVMnh_g6cJVx2i6eLsIkE81LdBZC1PbvuCMeC3P2KFYjq9LwGQ68kEZt1tS_U05NUXAPsfvS3eklubcVcNQSdNTuiHbwNuuttL3HoORtsOaVy2tByhPUVAjHs-yT68UB6zPF4cfab5H60F8KA8RGmHOqVtrk6kOWMnUleDzz6ONnYuOW7U2TOtuu67NRb-0a6FyoTuJY4tCwl_9nKn6cwoOdMsvOmRfhvi8oK4iKB2Sf-x6_qXscS2DsA_pqfGqIzPCoO0c-uBVXwx1jtk-fOLLsZpj1KNpV6fLTs0mMKcWu5OjYVLLjbCb9msRyjMY29hHq__hAvBqNAoi0haAVCjMpWUVty15AhRgjtCzG7DcipVai7Py8UQndJ18YCJIiH5qI7Yaw7Cliq-XicA3FqGHDJOsU0BQCWGhJo9NnGnB1dxObQ_FTU44ltpfQtSU_Ck7mVo_x6gtCZf5EByQo5y9YxefnMkg0H71WUcIHJk3bMJJ8ZPNNLKRRUTw4RcCLdeSl0Hvoy2P_kl_Jphaup-ih3uVdyzDrxGMugIzHRFJtkIAORTv9mjPN7p_kiXWnknA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.0.0; and Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8ADkrI6A5k9IjWDmADcXyQq8WIr6Ktn4CjA9VZSsXEn4KEoOOS18c-U9WaPL_bQZ810eBcFc_sMtNPOxsSEDSgbSiOSNg0KdQjVoLjnThQJA_rOxJjn4YAQ5nakcK0Td6IBY4MKTOlCqfXRYz2msSvIahotk7dIru7ctUZmvZJ5K7_OurzI0SuyCfqFvulerfANpUGeI7j34ljaAQKaPpKhcfsal_hxzWcGYLSsE4bNjgkp9ogz8u2En_SMkBLxo349HAw__mAtFIzuTdrth7S8=N; expires=Fri, 05 Apr 2024 15:32:42 GMT; path=/signin-oidc; secure; samesite=none; httponly,.AspNetCore.Correlation.f3acPXGzBGEAfKmgi59VO9ha6qqMBhWLCiIlWWtKXk0=N; expires=Fri, 05 Apr 2024 15:32:42 GMT; path=/signin-oidc; secure; samesite=none; httponly. 2024-04-05 15:17:42.550 +00:00 [INF] AuthenticationScheme: Microsoft Entra ID was challenged. 2024-04-05 15:17:42.550 +00:00 [INF] HTTP GET /ExternalLogin/Challenge responded 302 in 30.6632 ms 2024-04-05 15:17:43.045 +00:00 [DBG] IdentityServer CorsPolicyService didn't handle CORS request made for path: /signin-oidc from origin: https://login.microsoftonline.com because it is not for an IdentityServer CORS endpoint. To allow CORS requests to non IdentityServer endpoints, please set up your own Cors policy for your application by calling app.UseCors("MyPolicy") in the pipeline setup. 2024-04-05 15:17:43.047 +00:00 [DBG] Updating configuration 2024-04-05 15:17:43.048 +00:00 [DBG] Redeeming code for tokens. 2024-04-05 15:17:43.530 +00:00 [INF] AuthenticationScheme: idsrv.external signed in. 2024-04-05 15:17:43.531 +00:00 [INF] HTTP POST /signin-oidc responded 302 in 486.8595 ms

data
` public class PxCorsPolicyService(ILogger<PxCorsPolicyService> logger) : ICorsPolicyService
 {
     private List<string> _allowedOrigin = new() { "https://login.microsoftonline.com" };

     public async Task<bool> IsOriginAllowedAsync(string origin)
     {
         var result = _allowedOrigin.Contains(origin);

         await Task.CompletedTask;

         return result;
     }
 } 
services.AddSingleton<ICorsPolicyService>((container) => {
     var logger = container.GetRequiredService<ILogger<PxCorsPolicyService>>();
     return new PxCorsPolicyService(logger);
 }); 
var isBuilder = builder.Services.AddIdentityServer(options =>
        {
            options.Events.RaiseErrorEvents = true;
            options.Events.RaiseInformationEvents = true;
            options.Events.RaiseFailureEvents = true;
            options.Events.RaiseSuccessEvents = true;
            options.EmitStaticAudienceClaim = true;
        })
        .AddProfileService<PxUserProfileService>()
.AddConfigurationStore(options =>
{
    options.ConfigureDbContext = optbuider =>
        optbuider.UseSqlServer(configuration.GetConnectionString("xIdentityServer"), sqloptions =>
            sqloptions.MigrationsAssembly(migrationsAssembly));
}).AddConfigurationStoreCache()
.AddOperationalStore(options =>
{
    options.ConfigureDbContext = optbuider =>
        optbuider.UseSqlServer(configuration.GetConnectionString("xIdentityServer"), sqloptions =>
            sqloptions.MigrationsAssembly(migrationsAssembly));
    options.EnableTokenCleanup = true;
});
 builder.Services.AddAuthentication()
     .AddOpenIdConnect("AAD", "Azure Active Directory", options =>
     {
         options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
         options.Authority = "https://login.microsoftonline.com/XXXXXXXXXX/v2.0";
         options.ClientId = "8141e96e-178d-xxrt-935c-060bc95ac56d";
         options.ClientSecret = "_Rb8Q~YT6uwIWdfgfh677586p33oo9nKhNcQPOdQCSNaQZ";
         options.ResponseType = "code";
         options.Scope.Add("email");
         options.Scope.Add("offline_access");
         options.SaveTokens = true;
     })
.AddGoogle("Google", o =>
{
    o.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    o.ClientId = "315799164400-amfmaqb96c79jdcmbam9qrgt9mgttnme.apps.googleusercontent.com";
    o.ClientSecret = "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";
});`

Additional context

Add any other context about the problem here.

[dotnetstep]

I am not 100% sure but recently I upgrade project to dotnet 8 and identity server 7. Issue I am observing is some what similar in nature.

In my case, following is the flow.

• Client Web App ( asp.net core mvc application)
• Signon App ( This is where Identity Server 7.0 configured and previously it was .net 6.0)
  • Here I added external provider AAD (Micrsoft Entra ID)

When User is not authenticated.

• Upon requesting Client App, It redirect to Signon App and Here on button click we redirect to AAD

• At AAD, Login perform with MFA and it return back to Signon app with endpoint /connect/authorize/callback

• Now instead of redirecting to Client app as login is successful , it redirect to signon page again.

  • If I look at the log, I see similar CORS message.
  • I also see that Identity server log, 'Showing .... User is not authenticated.'

• Now above behavior is not consistent and if I try 2-3 times, then it redirect to client app.

• Few observation. When It redirect, at that moment even /connect/authorize/callback url is exact same and only difference is , it now redirect to client app so this means it consider user is authenticated.

• If something is blocking cookie or url whatever but it is not giving any warning.

[ranchoebuka]

This has been fixed from our end. Our IT team made some changes in the settings of our firewall. There is no issue in Identityserver.