Open agileramblings opened 3 years ago
Looking in Fiddler at a version of Skoruba that works (pre-v1 instance)
and the v2 instance
I don't understand why the cookies are different. Both are pointing at the same AAD instance.
These are the URLs in Fiddler back-to-back
I've made this work, but I suspect there is a better way.
I noticed that the fist call after Account/ExternalLogin?
was different between the two sites. The current v2 of Skoruba called:
but the previous version called...
Switching off "UseAzureAdProvider": false,
and inserting
var authenticationBuilder = services.AddAuthentication()
.AddOpenIdConnect("OpenIdConnect", "Login with Azure AD (O365)", options =>
{
options.Authority = $"https://login.microsoftonline.com/common";
options.TokenValidationParameters =
new TokenValidationParameters { ValidateIssuer = false };
options.ClientId = "<snipped>";
options.ClientSecret = "<snipped>";
options.CallbackPath = "/signin-oidc";
options.Scope.Add("user:email");
});
Resolved the problem with being unable to log into the STS.
I solved by following the advice from Microsoft Identity Web library, with the latest version to make Identity with AzureAAD or any other Microsoft Identity protected auth system, you need to set cookieScheme parameter to null:
if (externalProviderConfiguration.UseAzureAdProvider)
{
authenticationBuilder.AddMicrosoftIdentityWebApp(options =>
{
options.ClientSecret = externalProviderConfiguration.AzureAdSecret;
options.ClientId = externalProviderConfiguration.AzureAdClientId;
options.TenantId = externalProviderConfiguration.AzureAdTenantId;
options.Instance = externalProviderConfiguration.AzureInstance;
options.Domain = externalProviderConfiguration.AzureDomain;
options.CallbackPath = externalProviderConfiguration.AzureAdCallbackPath;
}, cookieScheme: null);
}
Thanks for reporting this and for PR as well. 👍
Describe the bug
When enabling AzureAd and filling in the required configuration values, External Login goes to AAD login pages, completes authentication, then when returning to complete logging into the STS app, the page simply goes to the login page again. (https://sts.skoruba.local/Account/Login) The AAD cookie is present so clicking on the
OpenIdConnect
button over and over causes the app to continuously return to the https://sts.skoruba.local/Account/Login page without requiring further AAD authentication steps.Local logins work as expected.
To Reproduce
Relevant parts of the log file
Watching log file, there are no errors/warnings. Setting a break-point at ~ln 384 of AccountController.cs shows that
var info = await _signInManager.GetExternalLoginInfoAsync();
returnsnull
for an unknown reason.