Get Token Using OpenId Connect against Azure Active Directory

3
votes

I'm having trouble making a request for an Authorization token using OpenIdConnect against Azure Active Directory.

I've tried numerous approaches where I pass my Authentication code to our AD tenant using AuthenticationContext.AcquireTokenByAuthorizationCodeAsync.

The specific error I'm getting is "AADSTS70002: Error validating credentials. AADSTS50011: The reply address 'http://localhost:5000/api/home/index' does not match the reply address 'http://localhost:5000/signin-oidc' provided when reque sting Authorization code."

What I'm unsure of is why AD thinks my reply url is signin-oidc. I set the reply url to "http://localhost:5000/api/home/index" within my instance of AuthorizationContext; source code below. I've read that trailing / can be an issue, but I don't see that in my reply url. Also my reply url in code is the same as what I have registered within my web api in AD.

Any help would be appreciated. I've read many examples of how to use OpenId Connect against Azure AD, and it seems very inconsistent.

Stack Trace for requesting authorization t

Azure AD Reply URLs

 // Configure the OWIN pipeline to use OpenIDConnect.
        app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            //AuthenticationScheme = "oidc",
            Authority = authority,
            ClientId = clientId,
            Scope = { "openid profile email offline" },
            ResponseType = OpenIdConnectResponseType.CodeIdToken,
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = false
            },

            Events = new OpenIdConnectEvents
            {
                OnAuthorizationCodeReceived = async context =>
                {
                    var clientCred = new ClientCredential(clientId, clientSecret);

                    var tenantId = "xxxx.onmicrosoft.com";

                    var resource = new Uri(string.Format(organizationHostName, "*"));

                    var authContext = new AuthenticationContext(aadInstance + tenantId);

                    var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
                        new Uri(redirectUri), clientCred, "https://login.windows.net/xxxxxxx-xxxx-xxxx-xxxxxxxxxxx/oauth2/token");

                    context.TokenEndpointRequest.RedirectUri = redirectUri;
                }, 

                OnAuthenticationFailed = (context) => Task.FromResult(0)
            },
        });
1
azureasp.net-web-apiactive-directoryasp.net-core-1.0openid-connect
Here is some additional info I noticed while debugging. In the properties of the AuthorizationCodeReceivedContext, there are two URIs. One id for redirect, and the second is for OpenIdConnect.Code.Redirect. I'm trying to understand the difference between the two.derek kenney

1 Answers

3
votes

When you request an access token using the authorization code flow, you have to provide the same redirect URI through which the user just signed in. That would be http://localhost:5000 I imagine.

The last parameter to authContext.AcquireTokenByAuthorizationCodeAsync should be the resource URI for the API you want an access token for. Currently you have it set to the token endpoint URL which is not going to work. If you want a token for the Azure AD Graph API, you have to set it to https://graph.windows.net.

So it should be something like:

var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
                    new Uri("http://localhost:5000/signin-oidc"), clientCred, "https://graph.windows.net");

This should not be necessary:

context.TokenEndpointRequest.RedirectUri = redirectUri;