aspnet / Mvc

[Archived] ASP.NET Core MVC is a model view controller framework for building dynamic web sites with clean separation of concerns, including the merged MVC, Web API, and Web Pages w/ Razor. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
5.62k stars 2.14k forks source link

IsAuthenticated is false when moved to the IIS server with Azure AD .Net Core 2.1 #8700

Closed sandillio closed 6 years ago

sandillio commented 6 years ago

Is this a Bug or Feature request?:

Steps to reproduce (preferably a link to a GitHub repo with a repro project):

Description of the problem:

Version of Microsoft.AspNetCore.Mvc or Microsoft.AspNetCore.App or Microsoft.AspNetCore.All:

sandillio commented 6 years ago

Works perfectly on my local machine but when moved to server it returns false.

My Configure Services method looks like this

    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<CookiePolicyOptions>(options =>
        {
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;

        });

        services.AddAuthentication(sharedOptions =>
        {
            sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
        })
            .AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
            {
                options.MetadataAddress = "MetaDataAddress";
                options.Wtrealm = "WtRealm";
                options.Wreply = "https://mydomain/AzureADDemo/Home/Status";
                options.SaveTokens = true;

            }).AddCookie(
                options =>
                {

                    options.Cookie.Name = ".AspNet.SharedCookie";
                    options.LoginPath = "/AzureADDemo/Home/Signin";
                    options.Cookie.Path = "/AzureADDemo";
                    options.Cookie.Expiration = TimeSpan.FromMinutes(20); 
                    options.Cookie.SecurePolicy = CookieSecurePolicy.None;
                    options.Cookie.SameSite = SameSiteMode.None;
                });

        services.AddMvc();

    }

And my Configure Method looks like this

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }
        app.UseCors(policy => policy.SetIsOriginAllowed(origin => origin == 
                     "https://login.microsoftonline.com"));
        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseCookiePolicy();
        app.UseAuthentication();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }
mkArtakMSFT commented 6 years ago

Thanks for contacting us, @sandillio. @javiercn, can you please look into this? Thanks!

javiercn commented 6 years ago

@Tratcher I believe this is all yours

Tratcher commented 6 years ago

Can you share a Fiddler trace of the scenario?

Tratcher commented 6 years ago

Where are you calling IsAuthenticated?

sandillio commented 6 years ago

@Tratcher Here is the Fillder Trace image

sandillio commented 6 years ago

@Tratcher This is how I am signing in var redirectUrl = Url.Action(nameof(HomeController.Status), "Home"); return Challenge(new AuthenticationProperties { RedirectUri = redirectUrl }, WsFederationDefaults.AuthenticationScheme); And then in Status I am checking for IsAuthenticated which coming as False

Tratcher commented 6 years ago

Please upload the fiddler trace file rather than a screenshot. You can send it to the e-mail in my profile if you don't want it to be public.

I expect your problem is with the Wreply option, that shouldn't point to a page in your app, but to a url handled directly by the middleware.. Use CallbackPath instead of wreply.

@mkArtakMSFT feel free to transfer this to the Security repo.

Tratcher commented 6 years ago

Confirmed, your Wreply is wrong. Use CallbackPath instead as described in the doc above.

sandillio commented 6 years ago

@Tratcher So I have removed Wreply and added callback path but now I am getting the error saying the reply URL is not matching.

.AddWsFederation(WsFederationDefaults.AuthenticationScheme, options => { options.MetadataAddress = "MetaDataAddress"; options.Wtrealm = "WtRealm"; options.CallbackPath = "/Home/Status"; options.SaveTokens = true; }

Tratcher commented 6 years ago

CallbackPath should not reference a page in your app, it should be a dedicated endpoint like the default value "/signin-wsfed". The auth middleware will handle requests to this path.

sandillio commented 6 years ago

@Tratcher So I have changed my CallBackPath = "/AzureADDemo", my Reply Urls in AzureAD as "https://mydomain/AzureADDemo" since this is the endpoint referring to Wreply and I still get reply url not matching error. Please correct me as I am going wrong and having difficulty understanding this ADD.

Tratcher commented 6 years ago

and I still get reply url not matching error.

What's the exact error and where do you get it? That doesn't sound like an ASP.NET error, is it coming from AAD?

sandillio commented 6 years ago

Yes that’s the error from ADD. On Thu, Nov 8, 2018 at 5:22 PM Chris Ross notifications@github.com wrote:

and I still get reply url not matching error.

What's the exact error and where do you get it? That doesn't sound like an ASP.NET error, is it coming from AAD?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aspnet/Mvc/issues/8700#issuecomment-437177562, or mute the thread https://github.com/notifications/unsubscribe-auth/AeZW0L-8DuQ1z9vT0qJe9abJUPt9YKbGks5utK6sgaJpZM4YVC_D .

Tratcher commented 6 years ago

You're going to need to work that out with AAD. The only advice I can give is that you need to be very careful of the value, AAD has been known to require exact matches, even case sensitive.

mkArtakMSFT commented 6 years ago

Thanks @Tratcher.

Closing this as there is no more action to be taken here from our side.

sandillio commented 6 years ago

@Tratcher Sorry for posting late, but got it working. my solution is, I change the reply url in Azure to be as http://mydomain/yourappname/signin-wsfed and my configureServices method to be as below.

public void ConfigureServices(IServiceCollection services) {

    services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;            
    });

    services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
    }) .AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
        {
            options.MetadataAddress = "MetaDataAddress";
            options.Wtrealm = "WtRealm";
            options.SaveTokens = true;

        }).AddCookie(
            options =>
            {

                options.Cookie.Name = ".AspNet.SharedCookie";
                options.LoginPath = "/signin-wsfed";
                options.Cookie.Expiration = TimeSpan.FromMinutes(20); 
                options.Cookie.SecurePolicy = CookieSecurePolicy.None;
                options.Cookie.SameSite = SameSiteMode.None;
            });

    services.AddMvc();       
}
Tratcher commented 6 years ago

Remove options.LoginPath = "/signin-wsfed";, it doesn't belong there. LoginPath won't be used unless someone calls Challenge on Cookies rather than WsFed.