0

I've been trying to add auth to my web app following: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-1-MyOrg

If I run locally with appsettings.Development.json via dotnet run, I can log in using my organization credentials as expected. When I containerize and deploy to my Web App in Azure, I do not get logged in successfully. The url in the browser stays at /signin-oidc and goes to the Error page from the default Razor pages app.

The App Service logs have messages saying .AspNetCore.Correlation.OpenIdConnect.[key?] cookie not found

[Update] The auth flow works on my phone but not on desktop.

  1. Why would the same code work locally but not deployed?
  2. Why isn't the cookie found?
  3. Why does it work on iOS but not Windows?
Chris Sherry
  • 11
  • 5
  • Did you add the web app url information in your azure ad redirect url? When you test in your local machine, you should use url like `localhost:port/xxxx`, and after deploy to azure you should add the production env domain. – Tiny Wang Sep 14 '21 at 06:32
  • Yep. Did that. Before I remembered that setup, the error was a failed auth due to no matching redirect. Now it makes it all the way to my page, but the redirect url doesn't seem to be being handled. I don't have an Account action controller since I am using the `Microsoft.Identity.Web.UI AddMicrosoftIdentityUI()` extension. – Chris Sherry Sep 14 '21 at 06:44

2 Answers2

0

Try to remove app.UseCookiePolicy(); in startup class. Take a look here

Or the problem was IdentityServer was still using AddDeveloperSigningCredential

You can add a certificate in your code it will work perfectly

Refer here for more info

Delliganesh Sevanesan
  • 4,146
  • 1
  • 5
  • 15
  • Removing references to cookie policy has had no change in behavior. I'm not explicitly using an IdentityServer as in that example. Is one somehow injected behind the scenes? I was under the impression that AAD was the identity server. – Chris Sherry Sep 14 '21 at 07:13
  • Please have a look [here](https://stackoverflow.com/a/63211514/15997690) it may help to solve your issue. – Delliganesh Sevanesan Sep 14 '21 at 07:46
0

tl;dr - Setting the same-site cookie options in the authentication settings fixed this.

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(options =>
    {
        Configuration.Bind("AzureAd", options);
        options.NonceCookie.SameSite = SameSiteMode.Unspecified;
        options.CorrelationCookie.SameSite = SameSiteMode.Unspecified;
    });

This seems to be because the App Service enforces TLS-only and handles the TLS termination. Because of this, requests to the application are always HTTP even though the browser URL is HTTPS. This causes a number of problems, the first was that the redirect URL never matched since the Identity library uses the request scheme to form the redirect URL. I had "fixed" this by injecting a redirect URL rewrite:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(options =>
    {
        Configuration.Bind("AzureAd", options);
        options.Events ??= new OpenIdConnectEvents();
        options.Events.OnRedirectToIdentityProvider += _fixRedirect;
    });

...

private async Task _fixRedirect(RedirectContext context)
{
    context.Request.Scheme = "https";
    if(!context.ProtocolMessage.RedirectUri.StartsWith("https"))
        context.ProtocolMessage.RedirectUri = context.ProtocolMessage.RedirectUri.Replace("http", "https");
    await Task.CompletedTask;
}

However, the correlation cookie also seems to use the same HTTP request so that when the redirect comes back, the HTTPS doesn't match. Relaxing the SameSiteMode explicitly tells the browser(?) to allow the differing schemes. This is why my phone, with a different browser with different cookie policy, worked while desktop did not. Running locally using the dev-certs allowed the schemes to match since the app was terminating the TLS rather than the App Service.

I hooked into the CookiePolicyOptions.OnAppendCookie event to inspect the cookies while debugging to find this out.

Chris Sherry
  • 11
  • 5