KalyanChanumolu-MSFT
commented
4 years ago Closed KalyanChanumolu-MSFT closed 4 years ago
KalyanChanumolu-MSFT
commented
4 years ago 
01binary
commented
4 years ago Looks simple, I can do it this evening. I don't have a project to test with anymore, but I will change exactly the way it was suggested.
Rick-Anderson
commented
4 years ago @KalyanChanumolu-MSFT
But this results in an error. Next time paste in text rather than an image.
I tested this a month ago with personal and it worked.
KalyanChanumolu-MSFT
commented
4 years ago @Rick-Anderson Here is the text
Exception: invalid_request;Description=The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.
@01binary I have the sample. I will send it to you.
01binary
commented
4 years ago It sounds like the Microsoft Account OAuth provider is using a "common" endpoint, which makes sense. It's optimized for the "common case" of someone trying to login with Xbox, Outlook, or similar account.
The instructions that send you to Azure Active Directory to create a compatible App Registration should mention that you need to select a specific type that would be supported by the OAuth provider:
Haven't tried the code yet, but these options are reflected in App Registration manifest as follows:
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorizehttps://login.microsoftonline.com/organizations/oauth2/v2.0/authorizehttps://login.microsoftonline.com/common/oauth2/v2.0/authorizehttps://login.microsoftonline.com/consumers/oauth2/v2.0/authorizeThe URL can be found by going to Overview page for App Registration and clicking "Endpoints" button.
The OAuth provider for MS Account uses:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
I conclude therefore that the MS Account provider is hardwired to use "AzureADAndPersonalMicrosoftAccount" App Registration Audience, which is called "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" in Azure portal when creating a new App Registration. It seems like people should know that when they are going to use the Microsoft Account provider, then the App Registration that can work with it has to be created a certain way by picking the above option.
01binary
commented
4 years ago Trial results with various types of App Registrations, using MS Account provider and Blazor app I got from OP.
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.I assume it's because Single Tenant must use Tenant ID in the URL, and since the MS Account provider is hardwired to use the common URL which does not contain a Tenant ID, it fails to find the App Registration specified by Client ID. This is expected.
The OAuth dialog is shown with a UI error that says You can't sign in here with a personal account. Use your work or school account instead. I selected my work account and it accepted the choice. This is expected.
The OAuth dialog is shown, no error. Logs in successfully.
Exception: invalid_request;Description=The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.This error is the reason why we should explicitly call out which App Registration type will work with MS Account provider.
01binary
commented
4 years ago I recommend the following change under the bullet point that says "Pick a supported account type":
Microsoft.AspNetCore.Authentication.MicrosoftAccount package supports only App Registrations created using "Accounts in any organizational directory" or "Accounts in any organizational directory and Microsoft accounts" options.I have to sync my fork and create a pull request, etc.
KalyanChanumolu-MSFT
commented
4 years ago @01binary This is great.
@Rick-Anderson What would be the recommendation for customers that need to target "Microsoft Accounts only"?
Rick-Anderson
commented
4 years ago What would be the recommendation for customers that need to target "Microsoft Accounts only"?
I think you'd need to scaffold Identity and write you own code to handle that. @Tratcher who's the right person to answer this question?
Tratcher
commented
4 years ago It should just be a matter of the developer setting AuthorizationEndpoint to the right value, but I don't know what that is at the moment. I'll check.
01binary
commented
4 years ago I suspected that was configurable (just the constant was hard-coded) but haven't looked there again. The OAuth URL for "Personal Microsoft Accounts Only" is https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize. You can verify by creating an App Registration with that type, going to its Overview page, and clicking "Endpoints" button. Make sure the App Registration has "signInAudience": "PersonalMicrosoftAccount" in its Manifest, which means it's been created with that Personal type.
Here's what I got:
OAuth 2.0 authorization endpoint (v2): https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
OAuth 2.0 token endpoint (v2): https://login.microsoftonline.com/consumers/oauth2/v2.0/token
OpenID Connect metadata document: https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration
Tratcher
commented
4 years ago Ah, great. Yes, update the MicrosoftAccountOptions AuthorizationEndpoint and TokenEndpoint and re-validate.
01binary
commented
4 years ago I failed to sync my fork, so I re-created and re-cloned everything - sorry for the delay.
KalyanChanumolu-MSFT
commented
4 years ago Thank you @01binary @Rick-Anderson
fakiriayoub
commented
2 years ago I suspected that was configurable (just the constant was hard-coded) but haven't looked there again. The OAuth URL for "Personal Microsoft Accounts Only" is
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize. You can verify by creating an App Registration with that type, going to its Overview page, and clicking "Endpoints" button. Make sure the App Registration has"signInAudience": "PersonalMicrosoftAccount"in its Manifest, which means it's been created with that Personal type.Here's what I got:
OAuth 2.0 authorization endpoint (v2):
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorizeOAuth 2.0 token endpoint (v2):https://login.microsoftonline.com/consumers/oauth2/v2.0/tokenOpenID Connect metadata document:https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration
Good it's work for me, thank's
The instructions here don't specifically mention which supported account type to choose. I selected "Personal Microsoft account users" since the article is related to configuring Microsoft Logins
But this results in an error.
I believe this is because of MSAL now using a common endpoint?
Creating a new App Registration with supported account type as "All Microsoft account users" works with any errors
We should update the documentation accordingly.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.