Unable Authenticate - Azure web app with Azure Active Directory (OpenIdConnect)

2
votes

I have created a web app in azure and i am using Azure AD authentication (OpenID-Connect) to authenticate my web app. but i couldn't authenticate web app in few machines.

In some machines it(AAD authentication) working in google chrome, not in IE,Edge, Firefox. few times its worked in all the browsers.

I have failed in below steps

  1. Removed all the cookies and claims
  2. Clear the session and tested in private mode

In Startup.cs

public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = Config.ClientId,
                    ClientSecret = Config.ClientSecret,
                    Authority = Config.Authority,
                    PostLogoutRedirectUri = Config.PostLogoutRedirectUri, 
                    RedirectUri = Config.PostLogoutRedirectUri,  
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    { 
                    }
                });
}

When i tried to login with Azure AAD. i received error message like 'We couldn't sign you in. Please try again.'

info:

No error Log in browser console

URL : ** https://login.microsoftonline.com/TENANTID/oauth2/authorize?client_id=CLIENTID&redirect_uri=URL&response_mode=form_post&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3TOKEN&x-client-SKU=ID_NET461&x-client-ver=5.5.0.0**

Enabled the azure authentication/authorization

3
azureasp.net-coreazure-active-directoryopenid-connectazure-webapps
Have you checked the browser console ? Have you checked the url generated when it raise the error ? Have you checked the webapp log ? Have you two-factor authentication ? Have you the same email address for a personal account and work account ? You are behind a proxy ? Have you tried with postman ? Please update your question with more details.Max
@Max Have you checked the browser console ?**Yes, No error** Have you checked the url generated when it raise the error ?**The URL is login.microsoftonline.com/TENANTID/oauth2/…** Have you checked the webapp log ? in the APP Insights there is not log exist Have you two-factor authentication Enabled the azure authentication/authorization ?Karthikeyan
Have you the same email address for a personal account and work account ?**AD belongs to Work A/C** You are behind a proxy ?**No** Have you tried with postman ?**It is web app**Karthikeyan
If using openid connect middleware in your application , you don't need the authentication/authorization feature , just disable it .Nan Yu
I have disabled the authentication/authorization feature. and i am getting the below error IDX21323: RequireNonce is '[PII is hidden. For more details, see aka.ms/IdentityModel/PII.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.Karthikeyan

3 Answers

2
votes

Issue: working in google chrome, not in IE, Edge, Firefox, Safari. few times it worked in all the browsers.

HOW TO RESOLVE THIS ISSUE: The problem has been fixed in ASP.NET core. To resolve this issue, you can upgrade your application to use ASP.NET Core. If you must continually stay on ASP.NET, perform the following: Update your application’s Microsoft.Owin.Host.SystemWeb package be at least version and Modify your code to use one of the new cookie manager classes, for example something like the following:

app.UseCookieAuthentication(new CookieAuthenticationOptions 
{ 
    AuthenticationType = "Cookies", 
    CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager() 
});

Reference Link

1
votes

After some research, I found that you need to use HTTPS and also write this piece of code under de Startup.cs file:

using Microsoft.Owin.Host.SystemWeb;


public void ConfigureAuth(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions {
                CookieManager = new SystemWebCookieManager()
    });
...

If you are using Azure App, follow these steps to force the application to always use https:

  1. Log in to the Azure portal.

  2. Navigate to App Services.

  3. Click on the reported App.

  4. Under Setting section, Click on 'TLS/SSL settings'.

  5. In 'Protocol Settings', Set 'HTTPS Only' to 'On'.

0
votes

I ran into the same error message. But in my case I saw in the console a lot of calls on my app's /signin-oidc (302's).

The problem was that I removed the following line from the ConfigureServices method:

services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

After replacing it all worked fine.

HTH, J.