AI OnAI Off
getting error while integrating Azure OpenId connect
Hi Mahesh
Are your server/computer located behind an outgoing firewall or proxy server? Because this could be a sign that the OpenID middleware has trouble connecting to the OpenID configuration file (at https://login.microsoft.com site).
Oct 27, 2020 7:22
The issue is related to your application not being able to access https://[identity-provider-url]/.well-known/openid-configuration. Can you access the URL in a browser (with correct domain of course)?
Oct 27, 2020 7:55
Hi Stefan and Johan,
My computer is not behinde any firewal or proxy server. I am able to acess the identity provider url from browser, I see the json response in browser.
https://login.microsoftonline.com/[myGUIID]/v2.0/.well-known/openid-configuration.
Now I also tried with a fresh Episerver site with Alloy template, I get different errors on each hit
IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
and sometime
Response status code does not indicate success: 404 (Not Found).
Oct 27, 2020 8:50
Stefan Holm Olsen
- Oct 27, 2020 14:35
What is the value of your Authority property in the OpenID configuration in OWIN (you can mask the GUID)?
mahesh kulkarni
- Oct 28, 2020 10:17
I have set Authority property as 'Common', I also tried by setting it same as my Client id got from azure team.
Stefan Holm Olsen
- Oct 28, 2020 10:50
Try setting it to https://login.microsoftonline.com/[GUID/common] instead. Does it work?
mahesh kulkarni
- Oct 28, 2020 11:41
I have fixed that error, I had to use the ADDInstance url as https://login.microsoftonline.com/[MyTenantToken]
But now I am getting error "nonce cannot be validated, "set OpenIdConnectProtocolValidator.RequireNonce to 'false'. not getting from where disable it.
But now I am getting error "nonce cannot be validated, "set OpenIdConnectProtocolValidator.RequireNonce to 'false'. not getting from where disable it.
Hi Stefan,
yes the issue specifically with Chrome browser, I followed the document link you shared above.
I put below code
public class SameSiteCookieManager : ICookieManager
{
private readonly ICookieManager _innerManager;
public SameSiteCookieManager() : this(new CookieManager())
{
}
public SameSiteCookieManager(ICookieManager innerManager)
{
_innerManager = innerManager;
}
public void AppendResponseCookie(IOwinContext context, string key, string value,
CookieOptions options)
{
CheckSameSite(context, options);
_innerManager.AppendResponseCookie(context, key, value, options);
}
public void DeleteCookie(IOwinContext context, string key, CookieOptions options)
{
CheckSameSite(context, options);
_innerManager.DeleteCookie(context, key, options);
}
public string GetRequestCookie(IOwinContext context, string key)
{
return _innerManager.GetRequestCookie(context, key);
}
private void CheckSameSite(IOwinContext context, CookieOptions options)
{
if (options.SameSite == Microsoft.Owin.SameSiteMode.None
&& DisallowsSameSiteNone(context))
{
options.SameSite = null;
}
}
public static bool DisallowsSameSiteNone(IOwinContext context)
{
var userAgent = context.Request.Headers["User-Agent"];
if (string.IsNullOrEmpty(userAgent))
{
return false;
}
if (userAgent.Contains("CPU iPhone OS 12") ||
userAgent.Contains("iPad; CPU OS 12"))
{
return true;
}
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
userAgent.Contains("Version/") && userAgent.Contains("Safari"))
{
return true;
}
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
return true;
}
return false;
}
}and in startup file I set
code as
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = aadAuthority,
PostLogoutRedirectUri = postLogoutRedirectUri,
CookieManager = new SameSiteCookieManager(
new SystemWebCookieManager()),But I am still getting same error, May be I am missing something again.
Could you please help me.
Nov 04, 2020 9:45
Stefan Holm Olsen
- Nov 04, 2020 10:02
Can you quickly test whether it works fine in Explorer or Firefox? Just to know how far in the solution you have come.
In Chrome you may want to test this in incognito mode and close the tab after each test.
In Chrome you may want to test this in incognito mode and close the tab after each test.
mahesh kulkarni
- Nov 04, 2020 10:24
Hi Stefan,
It was working in Firefox even before this implementation.
I tested again after this implementation and its working fine in Firefox.
It was working in Firefox even before this implementation.
I tested again after this implementation and its working fine in Firefox.
Not sure if Azure AD supports validation of nonce. So as the error message suggest, turn it off.
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ProtocolValidator = new OpenIdConnectProtocolValidator
{
RequireNonce = false
}
});
Nov 04, 2020 10:05
mahesh kulkarni
- Nov 04, 2020 10:29
I tried it before, but then its giving error: The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request.
Stefan Holm Olsen
- Nov 04, 2020 10:30
Azure AD definitely supports it. And highly recommends it as an important safety feature.
The issue here is that the nonce cookie is lost when returning from Azure AD. But it can be fixed with some tweaking.
The issue here is that the nonce cookie is lost when returning from Azure AD. But it can be fixed with some tweaking.
Hi Mahesh
I don't recall what exactly fixed the issue last time. But here are some notes.
- Verify that your solution is targeted .Net 4.7.2.
- Verify that all OWIN-related NuGet packages are version 4.1.0 or higher (where they exists).
- Verify that Azure AD is sending you back to the exact same domain as you came from.
- Make sure that the site is not performing a redirect (for instance to add a trailing slash or something).
Nov 04, 2020 13:13
mahesh kulkarni
- Nov 11, 2020 8:07
Hi Stefan,
1. Yes my .net framework version is 4.7.2 as it is required for the solution you suggested above.
2. I checked my all owin packages and those are version 4.1.1
3. Azure AD is sending back to same site
4. there are not redirects in side after login
I am not able to find solution for this issue :( I have completed all rest of the part related to customer requirement but can not deliver it due to this Damm issue.
1. Yes my .net framework version is 4.7.2 as it is required for the solution you suggested above.
2. I checked my all owin packages and those are version 4.1.1
3. Azure AD is sending back to same site
4. there are not redirects in side after login
I am not able to find solution for this issue :( I have completed all rest of the part related to customer requirement but can not deliver it due to this Damm issue.
Found the solution:
My local website was running on HTTPS, I changed it to HTTPS and its started working fine in Google chrome.
Thank you all for your help :)
Dec 03, 2020 6:45
Stefan Holm Olsen
- Dec 03, 2020 7:09
Ahh, yes. After all other fixes, the most obvious solution was left. 😉
Hi, I am trying to inegrate Azure openId connect AD authentication, I am following the below links as reference.
https://world.episerver.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/
https://we.knowit.fi/experience-fi/mixed-mode-authentication-with-azure-ad-and-aspnet-membership-for-episerver-multisites
I completed all mentioned points in above links, but now when I try to access the mysite/CMS section, I get below error on login page, any help please. thank you in Advance!