After upgrading my projects to 1.1.0 I'm experiencing authentication errors now against my azure AD open ID authentication.
Fiddler is showing the error as:
WWW-Authenticate: Bearer error="invalid_request", error_codes="[90010]", error_description="AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint.%0d%0aTrace.
This correlates to a 400 error, BadRequest, and the user cannot login.
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
ClientId = Configuration["Authentication:AzureAd:ClientId"],
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
ClientSecret = Configuration["Authentication:AzureAd:ClientSecret"],
CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],
ResponseType = OpenIdConnectResponseType.CodeIdToken,
GetClaimsFromUserInfoEndpoint = true,
Events = new OpenIdConnectEvents
{
OnAuthenticationFailed = OnAuthenticationFailed,
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
OnMessageReceived = OnMessageReceived,
OnTicketReceived = OnTicketRecieved,
OnTokenValidated = OnTokenValidated,
OnUserInformationReceived = OnUserInformationReceived,
OnTokenResponseReceived = OnTokenResponseRecieved,
OnRemoteFailure = OnRemoteFailure
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
var aadInstance = "https://login.microsoftonline.com/";
var graphResourceId = "https://graph.windows.net";
string userObjectId = (context.Ticket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
AuthenticationContext authContext = new AuthenticationContext(aadInstance + tenant);
AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
context.ProtocolMessage.Code, new Uri(context.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]), clientCred, graphResourceId);
context.HandleCodeRedemption(authResult.AccessToken, authResult.IdToken);
}
Do I need to handle the user claims differently now since i'm using a CodeIdToken and trying to use the GetClaimsFromuserInfoEndpoint option?
edit: If I comment out GetClaimsFromUserInfoEndpoint this works fine
Did you have any other custom code? It works well for me and here is the code for your reference:
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
ClientId = Configuration["AzureAD:ClientId"],
Authority = String.Format(Configuration["AzureAd:AadInstance"], Configuration["AzureAd:Tenant"]),
ClientSecret = Configuration["AzureAd:ClientSecret"],
CallbackPath = new PathString("/signin-oidc"),
ResponseType = OpenIdConnectResponseType.CodeIdToken,
GetClaimsFromUserInfoEndpoint = true,
Events = new OpenIdConnectEvents
{
OnAuthenticationFailed = OnAuthenticationFailed,
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
OnMessageReceived = OnMessageReceived,
OnTicketReceived = OnTicketRecieved,
OnTokenValidated = OnTokenValidated,
OnUserInformationReceived = OnUserInformationReceived,
OnTokenResponseReceived = OnTokenResponseRecieved,
OnRemoteFailure = OnRemoteFailure
}
});
private Task OnRemoteFailure(FailureContext context)
{
context.HandleResponse();
context.Response.Redirect("/Home/Error?message=" + context.Failure.Message);
return Task.FromResult(0);
}
private Task OnAuthenticationFailed(AuthenticationFailedContext context)
{
return Task.FromResult(0);
}
private Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
return Task.FromResult(0);
}
private Task OnMessageReceived(MessageReceivedContext context)
{
return Task.FromResult(0);
}
private Task OnTicketRecieved(TicketReceivedContext context)
{
return Task.FromResult(0);
}
private Task OnTokenValidated(TokenValidatedContext context)
{
return Task.FromResult(0);
}
private Task OnUserInformationReceived(UserInformationReceivedContext context)
{
return Task.FromResult(0);
}
private Task OnTokenResponseRecieved(TokenResponseReceivedContext context)
{
return Task.FromResult(0);
}
Here is the project.json file:
{
"buildOptions": {
"emitEntryPoint": true,
"preserveCompilationContext": true
},
"runtimeOptions": {
"gcServer": true
},
"dependencies": {
"Microsoft.AspNetCore.Diagnostics": "1.0.0",
"Microsoft.AspNetCore.Mvc": "1.0.0",
"Microsoft.AspNetCore.Mvc.TagHelpers": "1.0.0",
"Microsoft.AspNetCore.Server.IISIntegration": "1.0.0",
"Microsoft.AspNetCore.StaticFiles": "1.0.0",
"Microsoft.Extensions.Configuration.FileExtensions": "1.0.0",
"Microsoft.Extensions.Configuration.Json": "1.0.0",
"Microsoft.Extensions.Logging": "1.0.0",
"Microsoft.Extensions.Logging.Console": "1.0.0",
"Microsoft.Extensions.Logging.Debug": "1.0.0",
"Microsoft.AspNetCore.Authentication.Cookies": "1.0.0",
"Microsoft.AspNetCore.Server.Kestrel": "1.0.0",
"Microsoft.AspNetCore.Authentication.OpenIdConnect": "1.0.0",
"Microsoft.NETCore.App": {
"type": "platform",
"version": "1.1.0"
},
"Microsoft.VisualStudio.Web.BrowserLink.Loader": "14.0.0"
},
"frameworks": {
"netcoreapp1.1": {
"imports": [
"dotnet5.6",
"dnxcore50",
"portable-net45+win8"
]
}
},
"tools": {
"Microsoft.AspNetCore.Server.IISIntegration.Tools": {
"version": "1.0.0-preview2-final",
"imports": "portable-net45+win8+dnxcore50"
}
},
"publishOptions": {
"include": [
"wwwroot",
"Views",
"appsettings.json",
"web.config"
]
},
"scripts": {
"prepublish": [ "npm install", "bower install", "gulp clean", "gulp min" ],
"postpublish": [ "dotnet publish-iis --publish-folder %publish:OutputPath%" ]
}
}