Azure Active Directory Flow for Web App Launched from Office 365

0
votes

Which of the Azure Active Directory authentication flows would I use for a single-tenant web application that needs to call the Microsoft Graph API and is launched from the Office 365 app launcher?

Office 365 is using the same tenant as the web app, and I'm using the Azure AD v1 endpoint. The example I tried does not quite work for this scenario, because it expects the user to not be signed-in already.

I tried this example: https://github.com/microsoftgraph/aspnetcore-connect-sample

It works correctly when going to the application directly, but clicking its icon in the Office 365 App Launcher immediately displays the following error:

Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty.

Is the solution to sign the user out and re-authenticate them in order to get an authorization code to cache, or should I use the "on behalf of" flow instead?

2
asp.netoffice365azure-active-directoryopenid-connect
Hi @dallasg, we had some dependence conflicts when tried to implement Azure AD v2 (MSAL) auth endpoint. This is likely to be solved with netcore2.0, so the sample will be updated in the coming weeks. If you encounter this bug with the sample too, please submit an issue: github.com/microsoftgraph/aspnetcore-connect-sample/issuesMark Szabo

2 Answers

0
votes

It seems that you set the login URL directly for the URL of Home Page for the app without the state parameter.

To fix the issue, the home page of the app is recommend to set. For example, this code sample should be https://localhost:44334. If you want protect the web app and only allow the authenticate users to visit, we can replace the code in ConfigureServices method like below and remove the AllowAnonymous attribute in the Home controller:

services.AddMvc(config =>
{
    var policy = new AuthorizationPolicyBuilder()
                     .RequireAuthenticatedUser()
                     .Build();
    config.Filters.Add(new AuthorizeFilter(policy));
});

After that, when you visit the app through Office 365 apps portal, it will redirect user login first before they can access the app.

0
votes

I was able to solve the problem by adding the Microsoft Graph URI as the Resource setting for the OpenID Connect middleware.

Now when launching the application, an authorization code is sent, which I can store in the Token Cache and use later for authenticating to the Graph API.