stackoom
  简体   繁体   中英

Can't connect ASP.NET MVC to Azure AD with OIDC

 原文  2023-01-30 13:08:02       c#/ .net/ azure/ single-sign-on/ openid-connect

Question

I am trying to set up an SSO sign in to a ASP.NET MVC 5 application (.NET 4.8) with OpenID Connect. I'm using Azure Active Directory. The application is a brand new project made for testing purposes, and the only change I introduced to scaffolded code is in Startup.Auth.cs :

// automatically added usings:
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.OpenIdConnect;

// in public void ConfigureAuth(IAppBuilder app) method:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                ClientId = "{ClientId of AAD App}",
                ClientSecret = "{Secret generated for the AAD app}",
                CallbackPath = new PathString("/signin-microsoft"),
                MetadataAddress = "https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration",
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidIssuer = "https://login.microsoftonline.com/{Directory (tenant) ID}/v2.0"
                }
            });

If I set ValidateIssuer to false , everything works fine - I manage to sign into the application with my organization email. But as soon as I set it to true , I start getting the following error:

IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'.

I tried changing the ValidIssuer to all options mentioned in this SO thread, but nothing works. The current ValidIssuer is the URL given in the MetadataAddress above, with concrete Directory (tenant) ID of the registered app.

As far as the registered AAD app goes, I've set both Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows) to true and Supported account types to Accounts in any organizational directory (Any Azure AD directory - Multitenant) .

Any idea what I'm not getting here?

1 answers

solution1
 0  2023-01-31 08:13:55

It was a bad Tennant ID after all. I realized it by setting IdentityModelEventSource.ShowPII to true in Startup.Auth.cs , as seen in this answer: https://stackoverflow.com/a/55027625/2975357

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Authorize for Azure AD groups in asp.net mvc Is there a way to authenticate an ASP.NET Core MVC controller action using an Azure AD token? Is the current user Id accessible in an ASP.NET Core 5 MVC controller if the project uses Azure AD? Can't connect to RDS in Asp.net core application Asp.net Web Forms (NOT MVC) azure active directory authentication Windows Azure & ASP.NET MVC site deployed on it? Azure Logic Apps can't programmatically build And / Or Condition using ASP.Net SDK Azure AD B2C integration with SAML and OIDC Serve static files from Azure blob container in ASP.NET Core MVC Copy blobs from one Azure container to another using ASP.NET Core 6.0 MVC with C#
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM