ASP.NET Core Web App using Work (Azure AD) Authentication works debugging locally, but not after publish to Azure

Question

My ASP.NET Core web app works great when running and debugging locally, but fails to run once published to Azure.

• I enabled Organizational Authentication and selected the appropriate domain upon publishing.
• The appropriate reply URL was registered

After I publish to Azure I get this error:

An unhandled exception occurred while processing the request. OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'. Trace ID: 640186d6-9a50-4fce-ae39-bbfc1caf2400 Correlation ID: 622758b2-ca52-4bb0-9a98-e14d5a45cf80 Timestamp: 2017-04-19 16:36:32Z', error_uri: 'error_uri is null'.

I'm assuming that it's because the Client Secret needs to be stored in Azure somewhere; however, the value in secrets.json did not work when I added it as an App Setting (invalid client secret error) as I saw someone was able to do on another post. Also not sure if putting the value of "Authentication:AzureAd:ClientSecret" in Azure AppSettings is a good idea anyway.

Answer 1

Not sure if this is useful to anyone or not. But i receive a similar error message.

OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler+<RedeemAuthorizationCodeAsync>d__22.MoveNext()

The solution for me was to provide a secret in the token service

,new Client
            {
                ClientId = "Testclient",
                ClientName = "client",
                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },
                //Hybrid is a mix between implicit and authorization flow
                AllowedGrantTypes = GrantTypes.Hybrid,

And provide the secret in the client

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
            {
                //The name of the authentication configuration.. just incase we have multiple
                AuthenticationScheme = "oidc",
                //Represents where to store the identity information -> which points to the cookie middleware declared above
                SignInScheme = "Cookies",

                //where the token service reside -> system will configure itself by invoking the discovery endpoint for the token service
                Authority = "http://localhost:5000",
            RequireHttpsMetadata = false,

            ClientId = "Testclient",
            ClientSecret = "secret",
            //hybrid flow -grant type
            ResponseType = "code id_token",

Hopefully this helps someone

Answer 2

Somehow I the Azure AD IDs needed for the proper Azure Active Directory App Registration were mixed up. There were 2 App Registration entries and the ClientID and TenentID's didn't match up with the local. So I synchronized the Client and Tenent IDs with one of the App Registration entries, and made sure the Client Secret was in App Settings, and it worked properly.

I verified these steps with this fine example Win's GitHub repository and they match now.