OpenIdConnectAuthenticationNotifications.AuthorizationCodeReceived event not invoked for Azure WebApp Secured by Azure Active Directory

1
votes

My MVC WebApp is deployed to Azure Paas and secured using Azure AD. The authentication setup uses the sample code below as its base and it is working in localhost with either IISExpress or IIS.

https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect

But it is not working after deployment to Azure. Even though the user will authenticate properly, the AuthorizationCodeReceived delegate is never invoked.

This is start up code that setup the authentication:

void ConfigureAuth(IAppBuilder app,  Container container) {
        _log.Debug("Configuring Azure Authentication");

        AzureActiveDirectoryAppSetting setting = container.GetInstance<IAzureActiveDirectoryAppSettingFactory>().Get();
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions() {
                ClientId = setting.ClientID,
                Authority = setting.Authority,
                PostLogoutRedirectUri = setting.PostLogoutRedirectUrl,
                RedirectUri = setting.ReplyUrl,
                Notifications = new OpenIdConnectAuthenticationNotifications() {
                    AuthorizationCodeReceived = new Func<Microsoft.Owin.Security.Notifications.AuthorizationCodeReceivedNotification, System.Threading.Tasks.Task>(args => OnAuthorizationCodeReceived(args, container)),
                    AuthenticationFailed = new Func<Microsoft.Owin.Security.Notifications.AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>, System.Threading.Tasks.Task>(OnAuthorizationFailed),
                }
            }
        );
    }

    System.Threading.Tasks.Task OnAuthorizationFailed(Microsoft.Owin.Security.Notifications.AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> args) {
        _log.Error("Authorization Failed");
        return System.Threading.Tasks.Task.FromResult<string>(null);
    }
    System.Threading.Tasks.Task OnAuthorizationCodeReceived(Microsoft.Owin.Security.Notifications.AuthorizationCodeReceivedNotification args, Container container) {
        _log.Debug("Authorization Code Received");
        var auth =  container.GetInstance<IClaimsBasedAuthentication>();
        return auth.ReceiveSecurityClaim(args.Code, args.AuthenticationTicket.Identity, HttpContext.Current);
    }

Here is the trace from Azure. As you can see, the authentication is successful but the "Authorization Failed" or "Authorization Code Received" trace is no where to be found. The first error is from the AcquireTokenSilentAsync call. It failed because the token wasn't cached in the first place.

Any help is appreciated. Thanks!

- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Security.AzureADOpenIDAuthentication:AzureADOpenIDAuthentication Created
- 2017-06-10T22:18:59  PID[7692] Information Albatross.Web.App_Start.Startup:Web App Configuration
- 2017-06-10T22:18:59  PID[7692] Information Albatross.Web.App_Start.Startup:All areas registered
- 2017-06-10T22:18:59  PID[7692] Information Albatross.Web.App_Start.Startup:Routes registered
- 2017-06-10T22:18:59  PID[7692] Information Albatross.Web.App_Start.Startup:Bundles registered
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:Configuring Azure Authentication
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:ClientID:xxx
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:Authority:https://login.microsoftonline.com/rushuioutlook.onmicrosoft.com
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:PostLogoutRedirectUrl:https://albatrossweb.azurewebsites.net/.auth/login/aad/callback/
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:ReplyUrl:https://albatrossweb.azurewebsites.net/.auth/login/aad/callback/
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:Tenant:rushuioutlook.onmicrosoft.com
- 2017-06-10T22:19:00  PID[7692] Verbose     Received request: GET http://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00  PID[7692] Information Redirecting: https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00  PID[7692] Verbose     Received request: GET https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00  PID[7692] Information Redirecting: https://login.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Falbatrossweb.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=40ca9b08-b857-4307-9ba3-5815031e9ddf&scope=openid+profile+email&response_mode=form_post&nonce=4a0abda18cf6448fb5b8095efb546871_- 20170610222400&state=redir%3D%252F
- 2017-06-10T22:19:29  PID[7692] Verbose     Received request: POST https://albatrossweb.azurewebsites.net/.auth/login/aad/callback
- 2017-06-10T22:19:29  PID[7692] Verbose     JWT validation succeeded. Subject: 'iit96kJ_mJn8Qt0f3kKAZm3qFKMGR2BMjVEnI45JBRc', Issuer: 'https://sts.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/'.
- 2017-06-10T22:19:29  PID[7692] Verbose     Calling into external HTTP endpoint POST https://login.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/oauth2/token.
- 2017-06-10T22:19:29  PID[7692] Information Login completed for '[email protected]'. Provider: 'aad'.
- 2017-06-10T22:19:29  PID[7692] Verbose     Writing 'AppServiceAuthSession' cookie for site 'albatrossweb.azurewebsites.net'. Length: 940.
- 2017-06-10T22:19:29  PID[7692] Information Redirecting: https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:31  PID[7692] Verbose     Received request: GET https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:31  PID[7692] Verbose     Found 'AppServiceAuthSession' cookie for site 'albatrossweb.azurewebsites.net'. Length: 940.
- 2017-06-10T22:19:31  PID[7692] Verbose     Authenticated [email protected] successfully using 'Session Cookie' authentication.
- 2017-06-10T22:19:31  PID[7692] Verbose     [Routes(Preview)] No authorization configuration was found.
- 2017-06-10T22:19:33  PID[7692] Error       Albatross.Web.Controllers.ServiceController:Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException: Failed to acquire token silently as no token was found in the cache. Call method AcquireToken

Edit for clarification on the marked answer:

As Nan Yu stated, this problem can be duplicated when the "Authentication / Authorization" feature is enabled. The working setup is in the picture below.

  1. Make sure "App Service Authentication" is On
  2. Action to take when request is not authenticated: Allow Anonymous requests (no action) This is what got me stuck for a month. I had this on "Log in with Azure Active Directory"
  3. Configure the Azure Active Directory correctly. You can find this info in the tutorials. Azure Active Directory Setup
1
azureazure-web-app-serviceazure-active-directory
Try setting ResponseType = "code id_token" in the Open ID Connect options. It's pretty odd though that I didn't have to specify that and still got a code.juunas

1 Answers

6
votes

According to reply url : https://albatrossweb.azurewebsites.net/.auth/login/aad/callback/ , it seems you enabled "Authentication / Authorization" feature of azure app service. and i could reproduce that if i enabled "Authentication / Authorization" feature , in that scenario easy authentication will take over the authentication process . If you enabled "Authentication / Authorization" of app service , please try to disable that and try again .