SaaS CMS has officially launched! Learn more now.

getting error while integrating Azure OpenId connect

Vote:
 

Hi, I am trying to inegrate Azure openId connect AD authentication, I am following the below links as reference. 

https://world.episerver.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/

https://we.knowit.fi/experience-fi/mixed-mode-authentication-with-azure-ad-and-aspnet-membership-for-episerver-multisites

I completed all mentioned points in above links, but now when I try to access the mysite/CMS section, I get below error on login page, any help please. thank you in Advance!

#229932
Oct 27, 2020 6:42
Vote:
 

Hi Mahesh

Are your server/computer located behind an outgoing firewall or proxy server? Because this could be a sign that the OpenID middleware has trouble connecting to the OpenID configuration file (at https://login.microsoft.com site).

#229934
Oct 27, 2020 7:22
Vote:
 

The issue is related to your application not being able to access https://[identity-provider-url]/.well-known/openid-configuration. Can you access the URL in a browser (with correct domain of course)?

#229935
Oct 27, 2020 7:55
Vote:
 

Hi Stefan and Johan,

My computer is not behinde any firewal or proxy server. I am able to acess the identity provider url from browser, I see the json response in browser.

https://login.microsoftonline.com/[myGUIID]/v2.0/.well-known/openid-configuration.

Now I also tried with a fresh Episerver site with Alloy template, I get different errors on each hit

IDX20803: Unable to obtain configuration from: '[PII is hidden]'.

and sometime

Response status code does not indicate success: 404 (Not Found).

#229938
Oct 27, 2020 8:50
Stefan Holm Olsen - Oct 27, 2020 14:35
What is the value of your Authority property in the OpenID configuration in OWIN (you can mask the GUID)?
mahesh kulkarni - Oct 28, 2020 10:17
I have set Authority property as 'Common', I also tried by setting it same as my Client id got from azure team.
Stefan Holm Olsen - Oct 28, 2020 10:50
Try setting it to https://login.microsoftonline.com/[GUID/common] instead. Does it work?
mahesh kulkarni - Oct 28, 2020 11:41
I have fixed that error, I had to use the ADDInstance url as https://login.microsoftonline.com/[MyTenantToken]

But now I am getting error "nonce cannot be validated, "set OpenIdConnectProtocolValidator.RequireNonce to 'false'. not getting from where disable it.
Vote:
 

Great that it worked out, Mahesh.

The second issue is a very known issue when using Chrome. Have a look at this page for a fix.

#229999
Edited, Oct 28, 2020 12:22
Vote:
 

Hi Stefan,

yes the issue specifically with Chrome browser, I followed the document link you shared above.

I put below code

public class SameSiteCookieManager : ICookieManager
    {
        private readonly ICookieManager _innerManager;

        public SameSiteCookieManager() : this(new CookieManager())
        {
        }

        public SameSiteCookieManager(ICookieManager innerManager)
        {
            _innerManager = innerManager;
        }

        public void AppendResponseCookie(IOwinContext context, string key, string value,
                                         CookieOptions options)
        {
            CheckSameSite(context, options);
            _innerManager.AppendResponseCookie(context, key, value, options);
        }

        public void DeleteCookie(IOwinContext context, string key, CookieOptions options)
        {
            CheckSameSite(context, options);
            _innerManager.DeleteCookie(context, key, options);
        }

        public string GetRequestCookie(IOwinContext context, string key)
        {
            return _innerManager.GetRequestCookie(context, key);
        }

        private void CheckSameSite(IOwinContext context, CookieOptions options)
        {
            if (options.SameSite == Microsoft.Owin.SameSiteMode.None
                                 && DisallowsSameSiteNone(context))
            {
                options.SameSite = null;
            }
        }
        public static bool DisallowsSameSiteNone(IOwinContext context)
        {
            var userAgent = context.Request.Headers["User-Agent"];

            if (string.IsNullOrEmpty(userAgent))
            {
                return false;
            }
       
            if (userAgent.Contains("CPU iPhone OS 12") ||
                userAgent.Contains("iPad; CPU OS 12"))
            {
                return true;
            }

            if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
                userAgent.Contains("Version/") && userAgent.Contains("Safari"))
            {
                return true;
            }

            if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
            {
                return true;
            }

            return false;
        }
    }

and in startup file I set 

code as

 app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = aadAuthority,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                CookieManager = new SameSiteCookieManager(
                                     new SystemWebCookieManager()),

But I am still getting same error, May be I am missing something again.

Could you please help me.

#230335
Nov 04, 2020 9:45
Stefan Holm Olsen - Nov 04, 2020 10:02
Can you quickly test whether it works fine in Explorer or Firefox? Just to know how far in the solution you have come.
In Chrome you may want to test this in incognito mode and close the tab after each test.
mahesh kulkarni - Nov 04, 2020 10:24
Hi Stefan,
It was working in Firefox even before this implementation.
I tested again after this implementation and its working fine in Firefox.
Vote:
 

Not sure if Azure AD supports validation of nonce. So as the error message suggest, turn it off.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    ProtocolValidator = new OpenIdConnectProtocolValidator
    {
        RequireNonce = false
    }
});
#230341
Nov 04, 2020 10:05
mahesh kulkarni - Nov 04, 2020 10:29
I tried it before, but then its giving error: The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request.
Stefan Holm Olsen - Nov 04, 2020 10:30
Azure AD definitely supports it. And highly recommends it as an important safety feature.
The issue here is that the nonce cookie is lost when returning from Azure AD. But it can be fixed with some tweaking.
Vote:
 

Hi Mahesh

I don't recall what exactly fixed the issue last time. But here are some notes.

  • Verify that your solution is targeted .Net 4.7.2.
  • Verify that all OWIN-related NuGet packages are version 4.1.0 or higher (where they exists).
  • Verify that Azure AD is sending you back to the exact same domain as you came from.
  • Make sure that the site is not performing a redirect (for instance to add a trailing slash or something).
#230351
Nov 04, 2020 13:13
mahesh kulkarni - Nov 11, 2020 8:07
Hi Stefan,

1. Yes my .net framework version is 4.7.2 as it is required for the solution you suggested above.
2. I checked my all owin packages and those are version 4.1.1
3. Azure AD is sending back to same site
4. there are not redirects in side after login

I am not able to find solution for this issue :( I have completed all rest of the part related to customer requirement but can not deliver it due to this Damm issue.
Vote:
 

Found the solution:

My local website was running on HTTPS, I changed it to HTTPS and its started working fine in Google chrome.

Thank you all for your help :)

#232992
Dec 03, 2020 6:45
Stefan Holm Olsen - Dec 03, 2020 7:09
Ahh, yes. After all other fixes, the most obvious solution was left. 😉
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.