0

I follow this tutorial from Microsoft to add Microsoft sign in into my project - ASP.NET MVC on .NET 4.7.2.

I managed login into my Microsoft account access the main page. However, when I tried to logout and re-login again, instead of reaching the main page, it throws 403 forbidden Microsoft-Azure-Application-Gateway/v2. I tried to delete the history and close the page, and able to login, but when I tried the 2nd attempt I will get the same error again.

I checked the cookies history and seems like this cookie .AspNet.Cookies is causing the problem. When I tried to remove .AspNet.Cookies, I'm able to access the page without any error.

enter image description here

I tried to implement SameSiteCookieManager class from this tutorial and added into my startup.cs with hopes that it will help, but I have no luck with that.

public void Configuration(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        LoginPath = new PathString("/Home/Login"),
        CookieSameSite = SameSiteMode.Lax,
        CookieManager = new SameSiteCookieManager(new SystemWebCookieManager())
    });
}

Can anyone pointed out what is the issue here? I have been struggling with this for almost 2 weeks. Really appreciate any kind of help here.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
CnV
  • 381
  • 4
  • 20

1 Answers1

0

ASP.NET MVC error 403 forbidden Microsoft-Azure-Application-Gateway/v2

  • I have followed the given document and able to login , logout and re-login again without any issues, by changing few settings in Azure Active Directory
  • Navigate to Azure Portal => Azure Active Directory => Your Registered App => Authentication => Add Platform
  • Click on the Add Paltform => Select Web => Add Redirect URIs and Front-channel logout URL
  • Under Implicit grant and hybrid flows,make sure ID tokens checkbox is selected => Configure

enter image description here

enter image description here

enter image description here

Harshitha Veeramalla
  • 1,515
  • 2
  • 10
  • 11
  • I'm using my existing platform, Mobile and desktop applications. Could it be the issue? for the logout URL is it a must? Do you implement the SameSite cookie as well for this? – CnV Jun 28 '22 at 01:16
  • I have not implemented SameSite cookie.Followed only the 1st document. Yes logout URL is a must. Have you tried with that? – Harshitha Veeramalla Jun 28 '22 at 02:02
  • I haven't tried to add the logout URL, as I'm using the existing Mobile & Desktop application platform. Can I check, will there be any impact to the existing application if I add the logout URL to it? will the application logout URL direct to the same URL? – CnV Jun 28 '22 at 02:45
  • Haven't checked yet, need to verify that – Harshitha Veeramalla Jun 28 '22 at 02:53
  • Hi @HarshithaVeeramalla-MT, I've followed your method to add the logout URL. I'm able to logout and login multiple times. However, I still encountered the 403 Forbidden Microsoft Gateway. I think I had the same issue with this: https://stackoverflow.com/questions/58906669/azure-front-door-waf-is-blocking-aspnet-applicationcookie There are 2 dashes (--) in my cookies, and it seems like my WAF is blocking it. I tried to off the rule 942440, and it works with no issue. However, I wish to not make any changes to the rule. Is there any way to solve this? – CnV Jun 29 '22 at 01:50
  • Would it be possible to not using cookies for this login? – CnV Jun 29 '22 at 01:51
  • 1
    AFAIK disabling the firewall is the current option available to resolve the issue. – Harshitha Veeramalla Jun 29 '22 at 05:17
  • will there be any negative impact if this rule is off? – CnV Jun 29 '22 at 10:39
  • 1
    Instead of disabling the entire Firewall, Just disable/remove the rule which is blocking your Request – Harshitha Veeramalla Jun 29 '22 at 10:47
  • I'm not sure if this solution consider good or not. I added 2 custom exclusion rules to exclude 2 cookies: AspNet.Cookies and OpenIdConnect.nonce. It seems to work for my case. – CnV Jun 29 '22 at 11:13