How to test Azure Active Directory locally (reply URLs)

4
votes

I have promoted a test .NET Web Api to an Azure application service and included an app registration under Azure Active Directory. I then went to do some testing locally and noticed that Azure wanted to use the reply URL in the app registration after login. The reply URL in the app registration is the URL for the application service. My local instance will be something like https://localhost:44377/. How are you supposed to test changes locally after doing an initial deploy to Azure? All I can think to do is create another app registration for testing, use my local host reply URL, then update my web.config to point to that development app registration. Then prior to publishing again, update the web.config back to the other app registration.

Below is the code I used for authentication which was based on the standard template from a simple MVC project. The values app registration are being used for the redirect URL but maybe I am supposed to override those values below while testing?

      public class AccountController : Controller
{
    public void SignIn()
    {
        // Send an OpenID Connect sign-in request.
        if (!Request.IsAuthenticated)
        {
            HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
                OpenIdConnectAuthenticationDefaults.AuthenticationType);
        }
    }
2
asp.netazureazure-web-app-serviceazure-active-directory
An app registration allows multiple reply urls.Jason P
I did try to add the localhost URL to the list of reply URLs, and this allowed me to test locally, but it also broke the published application service. When logging into the application service URL the redirect decides to use the second URL that I added (localhost) which obviously fails.pretzelb
You can have your app tell Azure AD which url to return to. See the part about redirect_uri here: msdn.microsoft.com/en-us/skype/websdk/docs/troubleshooting/auth/…Jason P
I just saw that same article and was going to point out the very bottom comment that says do NOT keep "localhost" in the list of reply URLs after publishing. What isn't clear to me is how to override the reply URL using the information in that article. My authorization code was based on a different sample and I do have "localhost" defined in my reply URL. Adding a code sample to the first post now.pretzelb
You could edit your hosts file, adding redirects for localhost for certain domain names or ports.mbomb007

2 Answers

1
votes

You can have multiple reply urls by specifying which you want to use in the authentication request. You do that when configuring your authentication in Startup.cs. You need to add a RedirectUri to your OpenIdConnectAuthenticationOptions.Notifications.RedirectToIdentityProvider

var openIdOptions = new OpenIdConnectAuthenticationOptions
{
  //...
  Notifications = new OpenIdConnectAuthenticationNotifications
  {
    RedirectToIdentityProvider = (context) =>
    {
      context.ProtocolMessage.RedirectUri = "<current reply uri>";

      return Task.FromResult(0);
    }
  }
  // ...
};

That reply uri can be pulled from your web.config or generated dynamically using context.Request.

If you want to use a different AD App after going to production, you can have two apps and put the client id and secret in the web.config.

2
votes

If you want to test locally, just add localhost as a reply URL and ensure that the web.config also lists localhost.

Please refer to this repository if you have not done so already: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect