azureasp.net-coreazure-active-directoryazure-web-app-servicemulti-tenant

Multitenant Web App with Asp .NET Core Sign in Issue


I am getting below error after I set application for multitenancy. An unhandled exception occurred while processing the request.

SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/2566cb39-d9fg-5ad6-tryb-d1e2kl067a89/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://sts.windows.net/{tenantid}/'.

Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext() Stack Query Cookies Headers SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/2096cb39-d9fd-4ad6-bbeb-d1e2be067a89/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://sts.windows.net/{tenantid}/'. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Session.SessionMiddleware+d__9.MoveNext() Microsoft.AspNetCore.Session.SessionMiddleware+d__9.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()

Below is the startup.cs code

    using System;
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using System.Threading.Tasks;
    using LPPlusUI.Models;
    using Microsoft.AspNetCore.Authentication;
    using Microsoft.AspNetCore.Authentication.Cookies;
    using Microsoft.AspNetCore.Authentication.JwtBearer;
    using Microsoft.AspNetCore.Authentication.OpenIdConnect;
    using Microsoft.AspNetCore.Builder;
    using Microsoft.AspNetCore.Hosting;
    using Microsoft.EntityFrameworkCore;
    using Microsoft.Extensions.Configuration;
    using Microsoft.Extensions.DependencyInjection;
    using Microsoft.Extensions.FileProviders;
    using Microsoft.IdentityModel.Tokens;
    using ReflectionIT.Mvc.Paging;
    namespace LPPlusUI
    {
        public class Startup
        {
            public Startup(IConfiguration configuration)
            {
                Configuration = configuration;
            }
            public IConfiguration Configuration { get; }
            // This method gets called by the runtime. Use this method to add services to the container.
            public void ConfigureServices(IServiceCollection services)
            {
                services.AddAuthentication(sharedOptions =>
                {
                    sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                })
                .AddAzureAd(options => Configuration.Bind("AzureAd", options))
                .AddCookie();
                services.AddDistributedMemoryCache();
                services.AddSession(options => {
                    options.IdleTimeout = TimeSpan.FromMinutes(30);//You can set Time   
                });
                services.AddMvc();
                services.AddPaging();
                var connection = @"string";
                services.AddDbContext<LPPlusExamContext>(options => options.UseSqlServer(connection));
            }
            //This method gets called by the runtime.Use this method to configure the HTTP request pipeline.
            public void Configure(IApplicationBuilder app, IHostingEnvironment env)
            {
                if (env.IsDevelopment())
                {
                    app.UseBrowserLink();
                    app.UseDeveloperExceptionPage();
                }
                else
                {
                    app.UseExceptionHandler("/Home/Error");
                }
                app.UseStaticFiles();
                app.UseSession();
                app.UseAuthentication();
                app.UseMvc(routes =>
                {
                    routes.MapRoute(
                        name: "default",
                        template: "{controller=Home}/{action=Index}/{id?}");
                });
            }
            }
        }

Below is the code from appsettings.json

    {
      "Logging": {
        "IncludeScopes": false,
        "LogLevel": {
          "Default": "Warning"
        }
      },
      "AzureAd": {
        "ClientId": "141b2123-d239-3568a-a713-4d4fg5781f57",
        "Domain": "lpstaging.onmicrosoft.com",
        "Instance": "https://login.microsoftonline.com/",
        "TenantId": "common",
        "CallbackPath": "/signin-oidc",
        "ClientSecret": "eVLSRM7yHjkjh678sghgjdGTh7shjkSgtGSU4=",
        "AppIDURL": "https://lpstaging.onmicrosoft.com/<app-id>",
        "ConfigView": "MVC"
      }
    }

Solution

  • I got it working...

    services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; })
                    .AddOpenIdConnect(options =>
                    {
                        var azureadoptions = new AzureAdOptions(); Configuration.Bind("AzureAd", azureadoptions);
                        options.ClientId = $"{azureadoptions.ClientId}";
                        options.Authority = $"{azureadoptions.Instance}{azureadoptions.TenantId}";
                        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                        {
                            ValidateIssuer = false,
                            ValidAudience = $"{azureadoptions.ClientId}",
                            //ValidAudiences = new List<string> { $"{azureadoptions.ClientId}", $"api://{azureadoptions.ClientId}", $"https://myapp.azurewebsites.net/" },
                            //ValidIssuer = $"https://sts.windows.net/{azureadoptions.ClientId}/" // for "signInAudience": "AzureADMyOrg" or "AzureADMultipleOrgs"
                            //ValidIssuer = $"{azureadoptions.Instance}{azureadoptions.TenantId}" // for "signInAudience": "AzureADandPersonalMicrosoftAccount"
                            //ValidIssuers = new List<string> { $"https://sts.windows.net/{azureadoptions.TenantId}/", $"{azureadoptions.Instance}{azureadoptions.TenantId}/v2.0" }                        
                        };
                        //Log.LogInformation($"the AddJwtBearer options have been configured for ClientId = {azureadoptions.ClientId}");
                    })
                    .AddCookie();