Problem after update AD password

davidjrh / dnn.azureadprovider

The DNN Azure Active Directory Provider is an Authentication provider for DNN Platform (formerly DotNetNuke) that uses Azure Active Directory OAuth2 authentication to authenticate users.

MIT License

35 stars 21 forks source link

Problem after update AD password #46

Closed rodsmr closed 1 year ago

rodsmr commented 3 years ago

Environment

DNN 9.9.0
DNN Azure AD Provider 4.0.4
Windows Server 2012 R2

Problem I've update Azure Active Directory AAD password few days ago; after this change, I try to login my site and I've got the attached error ErroreAAD If I discard the save user/pw and try new value (same email but different PW), I can login

Is it normally?
Is it depend on AAD config?
How to avoid it?

Thanks for the support, best regards

rodsmr commented 3 years ago

I need to reopen this issue. Today an user updates its AAD password and it has the same problem

swalker1595 commented 3 years ago

@rodsmr , does the user have a Microsoft LIVE account with the same credentials as their AAD account?

rodsmr commented 3 years ago

@rodsmr , does the user have a Microsoft LIVE account with the same credentials as their AAD account?

I suppose yes (but I really dont know). Is there a way to debug?

swalker1595 commented 3 years ago

I'm not sure if there is a way to debug but we have had instances (not specific to DNN) where users had both a Personal Microsoft Live Account and an AAD Account with the same credentials. When this happens, I have seen instances where they will be redirected to https://login.live.com/ to login instead of https://login.microsoftonline.com/

If the user is logging into login.live.com instead of login.microsoft.com, you will get the error message you sent. Just one thought.

rodsmr commented 3 years ago

@swalker1595 thanks. Can I force to use https://login.microsoftonline.com/ instead of https://login.live.com/ ?

swalker1595 commented 3 years ago

In fact, I was just able to recreate your exact issue by logging into our DNN tenant with my personal (Non-AAD) credentials:

swalker1595 commented 3 years ago

I don't think there's any way to prevent this as it's Microsoft's intended behavior to redirect users to login.live.com

I hate linking to external sites but here's some documentation I found: https://stackoverflow.com/questions/37245600/how-to-prevent-redirect-from-login-microsoftonline-com-to-login-live-com-while-u https://docs.microsoft.com/en-us/answers/questions/34806/azure-ad-404-error-when-login-with-microsoft-accou.html https://answers.microsoft.com/en-us/outlook_com/forum/all/loginmicrosoftonlinecom-redirecting-to/34fc19c7-6523-4a0f-b210-7c26b13c8316

rodsmr commented 3 years ago

@swalker1595 thank you very much, I read your docs!

rodsmr commented 3 years ago

Hi @swalker1595 From Microsoft OAuth 2.0 doc , I modify the AzureClient.cs code to add new QueryParameter("prompt", "login") at Authorize() method

I think this configuration can be choose by user during configuration. @davidjrh what do you think about my idea?

davidjrh commented 2 years ago

This sounds like an advanced setting to set through a dropdown and the corresponding help shown below.

davidjrh commented 1 year ago

Fixed on PR #69

Thanks @alendv for the contribution.