Closed sandillio closed 6 years ago
Works perfectly on my local machine but when moved to server it returns false.
My Configure Services method looks like this
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
{
options.MetadataAddress = "MetaDataAddress";
options.Wtrealm = "WtRealm";
options.Wreply = "https://mydomain/AzureADDemo/Home/Status";
options.SaveTokens = true;
}).AddCookie(
options =>
{
options.Cookie.Name = ".AspNet.SharedCookie";
options.LoginPath = "/AzureADDemo/Home/Signin";
options.Cookie.Path = "/AzureADDemo";
options.Cookie.Expiration = TimeSpan.FromMinutes(20);
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
options.Cookie.SameSite = SameSiteMode.None;
});
services.AddMvc();
}
And my Configure Method looks like this
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
app.UseCors(policy => policy.SetIsOriginAllowed(origin => origin ==
"https://login.microsoftonline.com"));
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
Thanks for contacting us, @sandillio. @javiercn, can you please look into this? Thanks!
@Tratcher I believe this is all yours
Can you share a Fiddler trace of the scenario?
Where are you calling IsAuthenticated?
@Tratcher Here is the Fillder Trace
@Tratcher This is how I am signing in var redirectUrl = Url.Action(nameof(HomeController.Status), "Home"); return Challenge(new AuthenticationProperties { RedirectUri = redirectUrl }, WsFederationDefaults.AuthenticationScheme); And then in Status I am checking for IsAuthenticated which coming as False
Please upload the fiddler trace file rather than a screenshot. You can send it to the e-mail in my profile if you don't want it to be public.
I expect your problem is with the Wreply option, that shouldn't point to a page in your app, but to a url handled directly by the middleware.. Use CallbackPath instead of wreply.
@mkArtakMSFT feel free to transfer this to the Security repo.
Confirmed, your Wreply is wrong. Use CallbackPath instead as described in the doc above.
@Tratcher So I have removed Wreply and added callback path but now I am getting the error saying the reply URL is not matching.
.AddWsFederation(WsFederationDefaults.AuthenticationScheme, options => { options.MetadataAddress = "MetaDataAddress"; options.Wtrealm = "WtRealm"; options.CallbackPath = "/Home/Status"; options.SaveTokens = true; }
CallbackPath should not reference a page in your app, it should be a dedicated endpoint like the default value "/signin-wsfed". The auth middleware will handle requests to this path.
@Tratcher So I have changed my CallBackPath = "/AzureADDemo", my Reply Urls in AzureAD as "https://mydomain/AzureADDemo" since this is the endpoint referring to Wreply and I still get reply url not matching error. Please correct me as I am going wrong and having difficulty understanding this ADD.
and I still get reply url not matching error.
What's the exact error and where do you get it? That doesn't sound like an ASP.NET error, is it coming from AAD?
Yes that’s the error from ADD. On Thu, Nov 8, 2018 at 5:22 PM Chris Ross notifications@github.com wrote:
and I still get reply url not matching error.
What's the exact error and where do you get it? That doesn't sound like an ASP.NET error, is it coming from AAD?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aspnet/Mvc/issues/8700#issuecomment-437177562, or mute the thread https://github.com/notifications/unsubscribe-auth/AeZW0L-8DuQ1z9vT0qJe9abJUPt9YKbGks5utK6sgaJpZM4YVC_D .
You're going to need to work that out with AAD. The only advice I can give is that you need to be very careful of the value, AAD has been known to require exact matches, even case sensitive.
Thanks @Tratcher.
Closing this as there is no more action to be taken here from our side.
@Tratcher Sorry for posting late, but got it working. my solution is, I change the reply url in Azure to be as http://mydomain/yourappname/signin-wsfed and my configureServices method to be as below.
public void ConfigureServices(IServiceCollection services) {
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
}) .AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
{
options.MetadataAddress = "MetaDataAddress";
options.Wtrealm = "WtRealm";
options.SaveTokens = true;
}).AddCookie(
options =>
{
options.Cookie.Name = ".AspNet.SharedCookie";
options.LoginPath = "/signin-wsfed";
options.Cookie.Expiration = TimeSpan.FromMinutes(20);
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
options.Cookie.SameSite = SameSiteMode.None;
});
services.AddMvc();
}
Remove options.LoginPath = "/signin-wsfed";
, it doesn't belong there. LoginPath won't be used unless someone calls Challenge on Cookies rather than WsFed.
Is this a Bug or Feature request?:
Steps to reproduce (preferably a link to a GitHub repo with a repro project):
Description of the problem:
Version of
Microsoft.AspNetCore.Mvc
orMicrosoft.AspNetCore.App
orMicrosoft.AspNetCore.All
: