无法登录多租户应用程序

Question

I have some confusion in Azure Ad Multi-Tenant Authentication.

My application is the Devexpress XAF Blazor Application in Visual Studio 2019.

Devexpress version 21.2.3

I want azure ad multitenant authentication, single-tenant authentication is working fine.

I have already followed below documents:-

https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/

https://itnext.io/why-you-should-be-using-azure-multi-tenant-apps-49d4704b926e

https://docs.devexpress.com/eXpressAppFramework/402197/data-security-and-safety/security-system/authentication/active-directory-and-oauth2-authentication-providers-in-blazor-applications

My Azure Ad Configuration is as below:

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/common",
    //"Instance": "https://login.microsoftonline.com",
    "AppIDURL": "https://Mydomain.onmicrosoft.com/MyApp",
    "Domain": "my Domain",
    "TenantId": "My Tenant Id",
    "ClientId": "My Client Id",
    "ClientCertificates": [],
    "CallbackPath": "/signin-oidc"
  },

When I used the below code in a startup.cs file

  var authentication = services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme);
            authentication
                .AddCookie(options =>
                {
                    options.LoginPath = "/LoginPage";
                }).AddMicrosoftIdentityWebApp(Configuration, configSectionName: "AzureAd", cookieScheme: null);

Getting below error:-

IOException: IDX20807 : Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.

Error screen shot

Or

When I used the below code

 var authentication = services.AddAuthentication(AzureADDefaults.AuthenticationScheme);
            authentication
                .AddCookie(options =>
                {
                    options.LoginPath = "/LoginPage";
                }).AddAzureAD(options => Configuration.Bind("AzureAd", options)); 

I was able to login into the application but was not able to log out of the application it login again and Devexpress login page was also not visible (as mentioned above LoginPath).

We have multiple Authentication schemes like below:-

1. CookieAuthenticationDefaults.AuthenticationScheme
2. AzureADDefaults.AuthenticationScheme
3. OpenIdConnectDefaults.AuthenticationScheme

But which one was used in Azure Ad Multi-Tenant Application.

Answer 1

Hellow,

1. Looks like AddAzureAD is obsolet. Form me it dosn't work at all with my app settring (TenadID, ClientId...)
2. I have the same problem when I replace "Instance": "https://login.microsoftonline.com", to "Instance": "https://login.microsoftonline.com/common",

I sugest you to upload debug simbols too see the exat problem in the HttpDocumentRetriever.GetDocumentAsync

For me it's StatusCode 400 or 404 In VisualStudio go to: Tools->Options->Debugging->Symbols.

Error response content

The seccond problem with "was not able to log out"

1. You set that default sheme is AzureADDefaults.AuthenticationScheme
2. AzureAD uses cookie scheme to store user data. It's by default of course and you can change it.
3. When you call LogOut the xaf application calls await context.SignOutAsync(); That means that the default scheme is used, but default scheme is "AzureADDefaults.AuthenticationScheme" in that case. The cookie still with you.

I am not shure that you need to put the "AzureADDefaults.AuthenticationScheme" as a defaut scheme or I don't know a reason to do that.

It's better to try the authentication without XAF when you need some complex solution and XAF doesn't work with that from the box.

Of cource you can override XAF log out logic where they perform context.SignOutAsync() by your own. They use a middleware for it, you can write you own and register it before XAF middleware(s) registration, before

app.UseXaf();

Your middleware can look like

using System;
using System.Threading.Tasks;
using DevExpress.ExpressApp.Blazor.Services;
using DevExpress.ExpressApp.Blazor.Utils;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;

namespace MyApplication {
    public class CustomSignInMiddleware {
        private readonly RequestDelegate next;
        public CustomSignInMiddleware(RequestDelegate next) {
            this.next = next;
        }
        public async Task Invoke(HttpContext context, ILogger<CustomSignInMiddleware> logger = null) {
            string requestPath = context.Request.Path.Value.TrimStart('/');
            string returnUrl = ReturnUrlHelper.ExtractReturnUrl(context.Request);
             if(requestPath.StartsWith(SignInMiddlewareDefaults.SignOutEndpointName, StringComparison.Ordinal)) {
                await context.SignOutAsync();
                context.Response.Redirect(returnUrl);
            }
            else {
                await next(context);
            }
        }
    }
}

and use SignOutAsync with desired scheme. Don't forget to register

        app.UseMiddleware<CustomSignInMiddleware>();
        app.UseXaf();

Answer 2

Thanks, Dima for your reply,

But the problem is resolved with the correct setting suggested by Microsoft Team.

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "Mydomain",
    "ClientId": "My Client Id",
    "TenantId": "organizations", // It is must in Multi Tenant application 
    "CallbackPath": "/signin-oidc"
  },

And My Startup file as below

   services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(options =>
            {
                options.LoginPath = "/LoginPage";
            }).AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"), cookieScheme: null);