Azure authentication fails after upgrade from netcore upgrade 1.0.0 to 1.1.0

0
votes

After upgrading my projects to 1.1.0 I'm experiencing authentication errors now against my azure AD open ID authentication.

Fiddler is showing the error as:

WWW-Authenticate: Bearer error="invalid_request", error_codes="[90010]", error_description="AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint.%0d%0aTrace.

This correlates to a 400 error, BadRequest, and the user cannot login.

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            ClientId = Configuration["Authentication:AzureAd:ClientId"],
            Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
            ClientSecret = Configuration["Authentication:AzureAd:ClientSecret"],
            CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],                
            ResponseType = OpenIdConnectResponseType.CodeIdToken,      
            GetClaimsFromUserInfoEndpoint = true,                
            Events = new OpenIdConnectEvents
            {
                OnAuthenticationFailed = OnAuthenticationFailed,
                OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
                OnMessageReceived = OnMessageReceived,
                OnTicketReceived = OnTicketRecieved,
                OnTokenValidated = OnTokenValidated,
                OnUserInformationReceived = OnUserInformationReceived,
                OnTokenResponseReceived = OnTokenResponseRecieved,
                OnRemoteFailure = OnRemoteFailure
            }        

private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
    {
        var aadInstance = "https://login.microsoftonline.com/";
        var graphResourceId = "https://graph.windows.net";

        string userObjectId = (context.Ticket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
        ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
        AuthenticationContext authContext = new AuthenticationContext(aadInstance + tenant);
        AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
            context.ProtocolMessage.Code, new Uri(context.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]), clientCred, graphResourceId);


        context.HandleCodeRedemption(authResult.AccessToken, authResult.IdToken);

    }

Do I need to handle the user claims differently now since i'm using a CodeIdToken and trying to use the GetClaimsFromuserInfoEndpoint option?

edit: If I comment out GetClaimsFromUserInfoEndpoint this works fine

1
azureauthenticationactive-directoryopenid

1 Answers

0
votes

Did you have any other custom code? It works well for me and here is the code for your reference:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{          
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    ClientId = Configuration["AzureAD:ClientId"],
    Authority = String.Format(Configuration["AzureAd:AadInstance"], Configuration["AzureAd:Tenant"]),
    ClientSecret = Configuration["AzureAd:ClientSecret"],
    CallbackPath = new PathString("/signin-oidc"),
    ResponseType = OpenIdConnectResponseType.CodeIdToken,
    GetClaimsFromUserInfoEndpoint = true,
    Events = new OpenIdConnectEvents
    {
        OnAuthenticationFailed = OnAuthenticationFailed,
        OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
        OnMessageReceived = OnMessageReceived,
        OnTicketReceived = OnTicketRecieved,
        OnTokenValidated = OnTokenValidated,
        OnUserInformationReceived = OnUserInformationReceived,
        OnTokenResponseReceived = OnTokenResponseRecieved,
        OnRemoteFailure = OnRemoteFailure
    }

});

private Task OnRemoteFailure(FailureContext context)
{
    context.HandleResponse();
    context.Response.Redirect("/Home/Error?message=" + context.Failure.Message);
    return Task.FromResult(0);
}

private Task OnAuthenticationFailed(AuthenticationFailedContext context)
{
    return Task.FromResult(0);
}

private Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
    return Task.FromResult(0);
}

private Task OnMessageReceived(MessageReceivedContext context)
{
    return Task.FromResult(0);
}

private Task OnTicketRecieved(TicketReceivedContext context)
{
    return Task.FromResult(0);
}

private Task OnTokenValidated(TokenValidatedContext context)
{
    return Task.FromResult(0);
}
private Task OnUserInformationReceived(UserInformationReceivedContext context)
{
    return Task.FromResult(0);
}

private Task OnTokenResponseRecieved(TokenResponseReceivedContext context)
{
    return Task.FromResult(0);
}

Here is the project.json file:

{
    "buildOptions": {
        "emitEntryPoint": true,
        "preserveCompilationContext": true
    },

    "runtimeOptions": {
        "gcServer": true
    },

    "dependencies": {
        "Microsoft.AspNetCore.Diagnostics": "1.0.0",
        "Microsoft.AspNetCore.Mvc": "1.0.0",
        "Microsoft.AspNetCore.Mvc.TagHelpers": "1.0.0",
        "Microsoft.AspNetCore.Server.IISIntegration": "1.0.0",
        "Microsoft.AspNetCore.StaticFiles": "1.0.0",
        "Microsoft.Extensions.Configuration.FileExtensions": "1.0.0",
        "Microsoft.Extensions.Configuration.Json": "1.0.0",
        "Microsoft.Extensions.Logging": "1.0.0",
        "Microsoft.Extensions.Logging.Console": "1.0.0",
        "Microsoft.Extensions.Logging.Debug": "1.0.0",
        "Microsoft.AspNetCore.Authentication.Cookies": "1.0.0",
        "Microsoft.AspNetCore.Server.Kestrel": "1.0.0",
        "Microsoft.AspNetCore.Authentication.OpenIdConnect": "1.0.0",
        "Microsoft.NETCore.App": {
            "type": "platform",
            "version": "1.1.0"
        },
        "Microsoft.VisualStudio.Web.BrowserLink.Loader": "14.0.0"
    },

    "frameworks": {
        "netcoreapp1.1": {
            "imports": [
                "dotnet5.6",
                "dnxcore50",
                "portable-net45+win8"
            ]
        }
    },

    "tools": {
        "Microsoft.AspNetCore.Server.IISIntegration.Tools": {
            "version": "1.0.0-preview2-final",
            "imports": "portable-net45+win8+dnxcore50"
        }
    },

    "publishOptions": {
        "include": [
            "wwwroot",
            "Views",
            "appsettings.json",
            "web.config"
        ]
    },

    "scripts": {
        "prepublish": [ "npm install", "bower install", "gulp clean", "gulp min" ],
        "postpublish": [ "dotnet publish-iis --publish-folder %publish:OutputPath%" ]
    }
}