Really having a nightmare with this in all honesty.
I have the repo from https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC which should set up Azure AD and Open Id with ASP Core 3.0.
I am using Azure to deploy an application using ASP Core 3.0 MVC. I have implemented the above repo into my solution which should take care of everything in startup.cs, my localhost is working absolutely fine.
Start up is the same as the 1-WebApp-OIDC solution (other than logging and DI related registrations).
The app is registered in the Azure portal, the tenant id and client id are fine, correct redirects are in there as well. App Service Auth is turned off also (I read this could be an issue as many had solved this by turning it off). Also Home, Index controller has [Authorize] attribute on.
Now when it comes to deployment I keep getting; You do not have permission to view this directory or page.’ On my /signin-oidc redirect url. Just to note I was getting this message even when not using the openidconnect class library.
If I go to https://mysite.azurewebsites.net/.auth/login/aad/callback - I get 'You have successfully logged in' page, with the 'RETURN TO THE WEBSITE' link. Once clicked, back to the same message as above.
I'm also getting a token from https://mysite.azurewebsites.net/.auth.me - have read .NET Core app with Azure App Service Authentication but he was able to get past the login and just wasn't getting the right claim identities.
Now .. when I check in Azure at the domain's sign ins, it shows as success. I then log into Kudu to check the logs (in .../application) with contradictions.
The diagnostics logs say:
2020-02-01 10:32:19.279 +00:00 [Debug] Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware: Request did not match any endpoints
2020-02-01 10:32:19.279 +00:00 [Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler: AuthenticationScheme: AzureADCookie was not authenticated.
The other set of logs which generate a guid for each session show:
2020-02-01T10:32:01 PID[3780] Verbose Received request: GET https://mysite.azurewebsites.net/
2020-02-01T10:32:01 PID[3780] Information Redirecting: https://login.windows.net/89f3808f-0cff-4297-b17a-313007c7b8a6/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmysite.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=f70bd4d6-3cb3-463e-9fca-974053e2f177&scope=openid+profile+email&response_mode=form_post&nonce=6f1c5c8d07f5481193439dd95c3cf03b_20200201103701&state=redir%3D%252F
2020-02-01T10:32:02 PID[3780] Verbose Received request: POST https://mysite.azurewebsites.net/.auth/login/aad/callback
2020-02-01T10:32:02 PID[3780] Verbose JWT validation succeeded. Subject: 'C6JYPu8NBYT8sC-s6G33w6sxNkct28RdeeyfL1SndjA', Issuer: 'https://sts.windows.net/89f3808f-0cff-4297-b17a-313007c7b8a6/'.
2020-02-01T10:32:02 PID[3780] Information Login completed for 'DanADLogin@company.com'. Provider: 'aad'.
2020-02-01T10:32:02 PID[3780] Verbose Writing 'AppServiceAuthSession' cookie for site 'mysite.azurewebsites.net'. Length: 920.
2020-02-01T10:32:02 PID[3780] Information Redirecting: https://mysite.azurewebsites.net/
2020-02-01T10:32:02 PID[3780] Verbose Received request: GET https://mysite.azurewebsites.net/
2020-02-01T10:32:02 PID[3780] Verbose Found 'AppServiceAuthSession' cookie for site 'mysite.azurewebsites.net'. Length: 920.
2020-02-01T10:32:02 PID[3780] Verbose Authenticated DanADLogin@company.com successfully using 'Session Cookie' authentication.
2020-02-01T10:32:19 PID[3780] Verbose Received request: POST https://mysite.azurewebsites.net/signin-oidc
2020-02-01T10:32:19 PID[3780] Verbose Found 'AppServiceAuthSession' cookie for site 'mysite.azurewebsites.net'. Length: 920.
2020-02-01T10:32:19 PID[3780] Information Sending response: 403.60 Forbidden
2020-02-01T10:32:19 PID[3780] Warning Cross-site request forgery detected for user 'DanADLogin@company.com' from referer 'login.microsoftonline.com'!
2020-02-01T10:32:19 PID[3780] Verbose Received request: GET https://mysite.azurewebsites.net/favicon.ico
2020-02-01T10:32:19 PID[3780] Verbose Found 'AppServiceAuthSession' cookie for site 'mysite.azurewebsites.net'. Length: 920.
2020-02-01T10:32:19 PID[3780] Verbose Authenticated DanADLogin@company.com successfully using 'Session Cookie' authentication.
Clearly the cookie is being lost somewhere, I've read about a redirect loop that interferes with cookies from core and cookies from open id. I’ve exhausted stack overflow and other articles all to no avail.
There is one issue that is very similar but using Google Auth - Requesting refresh token fails.No refresh tokens were found in the token store. This does not work for AAD.
I’m genuinely out of what to do, I have persevered long enough and I think I may go mad if I spend another day on this. I'm sure it cannot be this difficult 😅.
Any help or guidance would be greatly appreciated.
Clearly a lot of interest lol ...
This was actually nothing to do with Azure AD or OpenId at all.
It was a db call in my data layer that was calling an external db in my home controller (not in Azure) that was throwing all these issues.