Stack Overflow Asked by Bjorn on July 24, 2020
I’m trying to create a simple .NET Core 3.1 MVC app that requires authentication through Azure Active Directory, with B2C.
I’ve read multiple documentations, but still coudn’t get it to work. I’m able to run the user flow succesfully (received info in https://jwt.ms/). However, if I’m running my application, this is what happens:
I took an example project (with https://fabrikamb2c.b2clogin.com) to see if the problem is inside my code, or it is in Azure settings. When I do that with the example settings, I correctly see a login screen. When I switch to my own settings, the above situation occurs. So I guess it has something to do with the settings in Azure. The correct flow (so with the example settings)
I do see some differences in this URL (around the scope for example), but can’t figure out what causes my issue. Currently tinking of permissions?
Azure settings
Inside Azure subscription 2
Inside B2C subscription (Linked to subscription 2)
I hope anyone can give me some light here…
Update:
I tried to get some more light by using Fiddler. I can see:
With a reponse containing:
{
"issuer": "https://{myb2cdomain}.b2clogin.com/{b2c-id}/v2.0/",
"authorization_endpoint": "https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/authorize",
"token_endpoint": "https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/token",
"end_session_endpoint": "https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/logout",
"jwks_uri": "https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/discovery/v2.0/keys",
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"response_types_supported": [
"code",
"code id_token",
"code token",
"code id_token token",
"id_token",
"id_token token",
"token",
"token id_token"
],
"scopes_supported": [
"openid"
],
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"idp",
"sub",
"tfp",
"iss",
"iat",
"exp",
"aud",
"acr",
"nonce",
"auth_time"
]
}
GET https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/discovery/v2.0/keys
Containing
{
"keys": [
{"kid":"{id}","nbf":1111111111,"use":"sig","kty":"RSA","e":"AQAB","n":"{long-id}"}
]
}
GET
https://{myb2cdomain}.b2clogin.com/{myb2cdomain}.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/authorize?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=https%3A%2F%2Flocalhost%3A5000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access%20&response_mode=form_post&nonce={long.string}&client_info=1&state={long.string2}&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0
The response in text unreadable… althrough when I set the response to XML, I do see some HTML here:
<html />
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Logging in...</title>
<meta name="CACHE-CONTROL" content="NO-CACHE" />
<meta name="PRAGMA" content="NO-CACHE" />
<meta name="EXPIRES" content="-1" />
</head>
<body>
<form id="auto" method="post" action="https://jwt.ms">
<div>
<input type="hidden" name="error" id="error" value="redirect_uri_mismatch" />
<input type="hidden" name="error_description" id="error_description" value="AADB2C90006: The redirect URI 'https://localhost:44316/signin-oidc' provided in the request is not registered for the client id
...
Containing…
The redirect URI ‘https://localhost:44316/signin-oidc’ provided in the request is not registered for the client id.
Guess I’ll need to check the redirect URI’s…
Okay... it seems to be impossible to work locally with the redirect URL https://jwt.ms as redirect URL (or I simply do not know how. See also https://github.com/aspnet/Security/issues/1757).
The jwt.ms URL works great for testing the user flow, but not usable in production, as the appsetting value CallbackPath requires a relative path.
So... I added the Redirect URI in my B2C App registration to https://localhost:44316/signin-oidc, and.... tada! It works.
For now I added the CallBackPath to my appsettings.json, just to have it documentated.
"CallbackPath": "/signin-oidc" // Default value: /signin-oidc. If change, please edit or add the link into the B2C App Registration
And Ilet my code pick it up later
options.CallbackPath = AzureAdB2COptions.CallbackPath;
If you let both of these lines away, it does also work. As long as you specify /signin-oidc in the app registration redirect URI.
Sadly the error that occured wasn't showed easily to the end-user...
Answered by Bjorn on July 24, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP