0

I am trying to implement Azure AD on an ASP.NET WebForms application. In the Web.Config, I have added below information:

<add key="ida:RedirectUri" value="https://localhost:44320/" />
<!--Directory_Name.onmicrosoft.com-->
<add key="ida:Tenant" value="https://login.microsoftonline.com/000..." />
<!--App ID URI of service APP-->
<add key="ida:Audience" value="https://login.microsoftonline.com/000../federationmetadata/2007-06/federationmetadata.xml?appid=00000.." />
<!--Client Application Client ID-->
<add key="ida:TrustedCallerClientId" value="000..." />

The Startup.cs file calls Startup.Auth.cs which contains below method.

   public void ConfigureAuth_Azure(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
                {
                    ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
                },
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            }); 
    }

As soon as it hits this code, it throws error:

System.Net.Http.HttpRequestException HResult=0x80131500
Message=Response status code does not indicate success: 404 (Not Found). Source= StackTrace:

RKh
  • 13,818
  • 46
  • 152
  • 265

1 Answers1

1

Try with this code.

    public void Configuration(IAppBuilder app)
        {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
        // Sets the ClientId, authority, RedirectUri as obtained from web.config
        ClientId = clientId,
        Authority = authority,
        RedirectUri = redirectUrl,
        
        // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
        PostLogoutRedirectUri = redirectUrl,
        Scope = OpenIdConnectScope.OpenIdProfile,
        ResponseType = OpenIdConnectResponseType.IdToken,
        TokenValidationParameters = new TokenValidationParameters()
        {
        ValidateIssuer = false
        },
        // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
        AuthenticationFailed = OnAuthenticationFailed
      }});
    }



private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
    {
    context.HandleResponse();
    context.Response.Redirect("/?errormessage=" + context.Exception.Message);
    return Task.FromResult(0);
     }

You can follow the below code sample in Github
(https://github.com/azure-cxp-community/Azure-CXP-Community-Engineering/tree/master/src/DeveloperTools/WebApp.OpenIdConnect.Guide)

And also check with this link

ShrutiJoshi-MT
  • 1,622
  • 1
  • 4
  • 9
  • It is giving error: "Access denied". What permission is required on Azure AD and at which section? – RKh Jul 27 '21 at 15:25
  • How does the Authority URL look like? – RKh Jul 27 '21 at 15:26
  • @Rkh ,For AD need to have the administrator permission on Azure AD and URL for authority, composed by Azure Active Directory endpoint and the tenant name (e.g. https://login.microsoftonline.com/contoso.onmicrosoft.com) – ShrutiJoshi-MT Jul 28 '21 at 06:36
  • Do we need to hardcode the authority URL you mentioned ? As of now authority URL is: https://login.microsoftonline.com/{Directory ID} – RKh Jul 28 '21 at 11:16
  • You need to mention inside Web.config file like – ShrutiJoshi-MT Jul 28 '21 at 12:04
  • How it will replace {0} at runtime ? – RKh Jul 28 '21 at 12:07
  • 1
    Can you please refer this document https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp . Authentication Handled by OWIN libraries – ShrutiJoshi-MT Jul 29 '21 at 05:32
  • I created a sample application using the code mentioned in the above link. I want to know whether I need to add code for X509 certificate validation as well ? I found a link on this: https://www.domstamand.com/loading-x509-cert-from-azure-keyvault-into-netcore-app/ . With the code you suggested, how the handshake will happen without certificate ? – RKh Aug 09 '21 at 08:56
  • Can you please explain little bit more about what you actually looking for? – ShrutiJoshi-MT Aug 09 '21 at 09:21
  • I want to know if there is a need to add X509 certificate code also as described in the link above? I just created an app with the code given in the link you provided. But it opens a message asking: Justification for access to application – RKh Aug 09 '21 at 10:20
  • Message(Justification for access to application)May be due to some restricted permission .Can you please check these links https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow and https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal – ShrutiJoshi-MT Aug 09 '21 at 10:33
  • Yes I am getting those checked. Just want to know if X509 code also needs to be added or not ? – RKh Aug 09 '21 at 11:17
  • X509 certificate used to authorize the token, Try with adding it. – ShrutiJoshi-MT Aug 12 '21 at 08:56
  • Any example on how to authenticate using X509 ? – RKh Aug 16 '21 at 11:13
  • 1
    Please check with this document https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#special-considerations-for-certificate-validation and https://stackoverflow.com/questions/14933477/client-authentication-via-x509-certificates-in-asp-net – ShrutiJoshi-MT Aug 16 '21 at 13:24
  • Thanks for providing those links. I have used the code provided by you above. I want to know if it is mandatory to validate using X509 or the code you provided will work ? – RKh Aug 24 '21 at 12:35