search

skoruba / Duende.IdentityServer.Admin

The administration for the Duende IdentityServer and Asp.Net Core Identity ⚡
Apache License 2.0
542 stars 188 forks source link

Problems configuring external provider such as Azure AD #175

Open diego-gtm opened 9 months ago

diego-gtm commented 9 months ago

Detail of the execution environment

I´m using the images generated in the DockerHub.

I´ve set up my proper values

Running a docker-compose up - d to get up my execution

Works properly !

But now I want to use Azure AD as an external provider (my intention is my users - configured on mi IDS - , can use their own Azure AD accounts ir order to log in.

Configuration sample

On my docker-compose.yaml i´ve changed proper values (I think relevant section is skoruba-duende-identityserver-sts-identity and ExternalProvidersConfiguration values but I put my hole file)

I have omitted sensitive sections, as well as values with private information (those with XXX as value).

version: '3.4'
services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx
    ports:
      - '443:443'
    environment:
      - VIRTUAL_PORT=443
      - VIRTUAL_PROTO=https
      - DEFAULT_HOST=sts.mydomain.com
    networks:
      proxy: null
      identityserverui:
        aliases:
          - sts.mydomain.com
          - admin.mydomain.es
          - admin-api.mydomain.es
    restart: always
  ids.admin:
    image: skoruba/duende-identityserver-admin:1.2.0   
    container_name: skoruba-duende-identityserver-admin
    environment:
      - VIRTUAL_HOST=admin.mydomain.es
      - VIRTUAL_PORT=443
      - VIRTUAL_PROTO=https 
      - 'AdminConfiguration__IdentityAdminBaseUrl=https://admin.mydomain.es'
      - 'AdminConfiguration__IdentityAdminRedirectUri=https://admin.mydomain.es/signin-oidc'
      - 'AdminConfiguration__IdentityServerBaseUrl=https://sts.mydomain.com'
      - 'AdminConfiguration__ClientId=XXX'
      - 'AdminConfiguration__ClientSecret=XXX'
      - 'AdminConfiguration__OidcResponseType=code'
      - DockerConfiguration__UpdateCaCertificate=true
      - ASPNETCORE_ENVIRONMENT=Production
      - 'ASPNETCORE_URLS=https://+:443' 
    command: dotnet Skoruba.Duende.IdentityServer.Admin.dll /seed
    depends_on:
      - db
      - gtmotive.issidentityserver6.sts.identity
    volumes:
      XXX
    networks:
      identityserverui: null
  ids.admin.api:
    image: skoruba/duende-identityserver-admin-api:1.2.0
    container_name: skoruba-duende-identityserver-admin-api
    environment:
      - VIRTUAL_HOST=admin-api.mydomain.es
      - VIRTUAL_PORT=443
      - VIRTUAL_PROTO=https 
      - AdminApiConfiguration__RequireHttpsMetadata=true
      - 'AdminApiConfiguration__ApiBaseUrl=https://admin-api.mydomain.es'
      - 'AdminApiConfiguration__IdentityServerBaseUrl=https://sts.mydomain.com'
      - DockerConfiguration__UpdateCaCertificate=true
      - ASPNETCORE_ENVIRONMENT=Production
      - 'ASPNETCORE_URLS=https://+:443' 
    networks:
      identityserverui: null
  ids.sts:
    image: skoruba/duende-identityserver-sts-identity:1.2.0    
    container_name: skoruba-duende-identityserver-sts-identity
    environment:      
      - VIRTUAL_HOST=sts.mydomain.com
      - VIRTUAL_PORT=443
      - VIRTUAL_PROTO=https
      - 'AdminConfiguration__IdentityAdminBaseUrl=https://admin.mydomain.es'
      - 'AdvancedConfiguration__IssuerUri=https://sts.mydomain.com'
      - DockerConfiguration__UpdateCaCertificate=true
      - ASPNETCORE_ENVIRONMENT=Production
      - 'ASPNETCORE_URLS=https://+:443'
      - 'ExternalProvidersConfiguration__UseAzureAdProvider=true'
      - 'ExternalProvidersConfiguration__AzureAdClientId=XXX'
      - 'ExternalProvidersConfiguration__AzureAdTenantId=XXX'
      - 'ExternalProvidersConfiguration__AzureInstance=XXX'
      - 'ExternalProvidersConfiguration__AzureAdSecret=XXX'
      - 'ExternalProvidersConfiguration__AzureAdCallbackPath=https://sts.mydomain.com/signin-microsoft'
      - 'ExternalProvidersConfiguration__AzureDomain=mydomain.com'
    depends_on:
      - db
    networks:
      identityserverui:
        aliases:
          - sts.mydomain.com
  db:
    XXX
    networks:
      identityserverui: null    
volumes:
  dbdata:
    driver: local
networks:
  proxy:
    driver: bridge
  identityserverui:
    driver: bridge

Relevant parts of the log file

This is my problem

skoruba-duende-identityserver-sts-identity  | [2023-09-22T10:40:26.1227397+00:00][EROR][9][Microsoft.AspNetCore.Server.Kestrel] Connection id ""0HMTRB1AEDB4Q"", Request id ""0HMTRB1AEDB4Q:00000002"": An unhandled exception was thrown by the application.
skoruba-duende-identityserver-sts-identity  | System.ArgumentException: The path in 'value' must start with '/'. (Parameter 'value')
skoruba-duende-identityserver-sts-identity  |    at Microsoft.AspNetCore.Http.PathString..ctor(String value)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.AspNetCore.Http.PathString.FromUriComponent(String uriComponent)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.AspNetCore.Http.PathString.op_Implicit(String s)
skoruba-duende-identityserver-sts-identity  |    at Skoruba.Duende.IdentityServer.STS.Identity.Helpers.StartupHelpers.<>c__DisplayClass8_0.<AddExternalProviders>b__1(MicrosoftIdentityOptions options) in /src/src/Skoruba.Duende.IdentityServer.STS.Identity/Helpers/StartupHelpers.cs:line 422
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.ConfigureNamedOptions`1.Configure(String name, TOptions options)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.OptionsMonitor`1.<>c__DisplayClass10_0.<Get>b__0()
skoruba-duende-identityserver-sts-identity  |    at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
skoruba-duende-identityserver-sts-identity  |    at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
skoruba-duende-identityserver-sts-identity  |    at System.Lazy`1.CreateValue()
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.OptionsMonitor`1.Get(String name)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Identity.Web.MicrosoftIdentityWebAppAuthenticationBuilderExtensions.<>c__DisplayClass5_0.<AddMicrosoftIdentityWebAppInternal>b__3(OpenIdConnectOptions options, IServiceProvider serviceProvider, IOptionsMonitor`1 mergedOptionsMonitor, IOptionsMonitor`1 msIdOptionsMonitor, IOptions`1 msIdOptions)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.ConfigureNamedOptions`5.Configure(String name, TOptions options)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.OptionsMonitor`1.<>c__DisplayClass10_0.<Get>b__0()
skoruba-duende-identityserver-sts-identity  |    at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
skoruba-duende-identityserver-sts-identity  |    at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
skoruba-duende-identityserver-sts-identity  |    at System.Lazy`1.CreateValue()
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.Extensions.Options.OptionsMonitor`1.Get(String name)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.InitializeAsync(AuthenticationScheme scheme, HttpContext context)
skoruba-duende-identityserver-sts-identity  |    at Microsoft.AspNetCore.Authentication.AuthenticationHandlerProvider.GetHandlerAsync(HttpContext context, String authenticationScheme)
skoruba-duende-identityserver-sts-identity  |    at Duende.IdentityServer.Hosting.FederatedSignOut.FederatedSignoutAuthenticationHandlerProvider.GetHandlerAsync(HttpContext context, String authenticationScheme) in /_/src/IdentityServer/Hosting/FederatedSignOut/FederatedSignoutAuthenticationHandlerProvider.cs:line 33
skoruba-duende-identityserver-sts-identity  |    at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
skoruba-duende-identityserver-sts-identity  |    at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47
skoruba-duende-identityserver-sts-identity  |    at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
skoruba-duende-identityserver-sts-identity  |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

My question is

What am I doing wrong?

It is I´m running out of ideas .... I suppose there is something related to AzureAdCallbackPath

Any thoughts?

diego-gtm commented 9 months ago

I've finally got the configuration working !!

Mixing my configuration with another in open issues made it work. ( #73 ) ty @erossini and @erossini-chi

Fixing my config

# this is important !!! I was putting my teenant Id and that is worng
AzureInstance": "https://login.microsoftonline.com/" this should be fine for everyone
# this is important too, I was putting my whole uri http://XXX.com/signin-aad-oidc, and it is enought to put the controller path
AzureAdCallbackPath": "/signin-aad-oidc"

Now I only wonder which controller would be the most correct one value on AzureAdCallbackPath

  1. /signin-microsoft
  2. /signin-aad-oidc