Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
I've developed a website that will be authenticating users against Azure Active Directory and have seen that on the production webserver which doesn't have https://login.microsoftonline.com/ whitelisted authentication fails with an "Unable to obtain configuration from https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration" error. I have always thought that what mattered was for authenticating users to have appropriate access to required AAD endpoints and until now I was missing that also the webserver needs to have access to AAD endpoints to download for example the OpenID configuration document as described here. I was wondering if the OpenID configuration can only be downloaded directly from AAD or if there is the option to download it manually and provided it offline to the website somehow.
==========
Setting of authentication and authorization in the ASP.NET application is as follows:
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy.
options.FallbackPolicy = options.DefaultPolicy;
});
and clearly I have my tenant and app registration configured appropriately in the application's appsettings.json file:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "<company>.onmicrosoft.com",
"TenantId": "<my-tenant-id>",
"ClientId": "<my-client-id>",
"CallbackPath": "/signin-oidc",
"ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
"ClientCertificates": []
}
==========
I believe the issue I'm facing is due to the fact that .NET libraries are making calls using HttpClient instances for which webproxy information is not set as I do in my custom code. How can I set webproxy information application wide ?
As suspected, the issue I was facing was indeed that http calls made internally by .NET libraries to the AAD endpoint (https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration) were failing going through our company's web proxies. I had to set the web proxy application-wide by making a call such as the following in my ASP.NET application to solve the immediate failure:
Environment.SetEnvironmentVariable("ALL_PROXY", $"{proxyAddress}:{proxyPort}");
After being able to reach the AAD endpoint, authentication of users started looping forever with a "System.Exception: An error was encountered while handling the remote login. ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application." error being logged in the application event log of my webserver. It proved that on the app registration required for authenticating users against AAD, I had not set the following option in the authentication pane of the app registration:
- Adding related entities - Concurrency Exception
- What does script manager control actually do?
- How import WebApplicationBuilder in a Class Library?
- how to deny user to access sub folders and file?
- Calling async methods from non-async code
- Return datareader from method
- Icon Doesn't Appear for MAUI Blazor App on Windows if Taskbar Icons are Combined
- How can I add double quotes to a string that is inside a variable?
- Unable to configure the build output directory on .net web project
- No type was found that matches the controller named 'help'
- MemoryCache SetSize, does it limit cache entry size
- Token handler unable to convert the token to jwt token
- Why does aspnet core start on port 80 from within Docker?
- Why loading some css and js file taking too long time?
- Antiforgery token migration from .NET framework to .NET Core
- Generating reports at runtime
- making asynchronous calls from generic handler (.ashx)
- Bind query parameters to a model in ASP.NET Core
- Issue with Tuple Mapping Using AutoMapper
- An unhandled exception occurred during the execution of the current web request. ASP.NET
- My C# button not doing anything when clicked on?
- ASP.NET MVC Creating User: Multiplicity is not valid
- How to obtain number of pages in a Crystal Reports .NET report
- How to use "TypedHttpClientFactory" with "AddHttpMessageHandler"?
- CSS compression & combining / js minification - Better to do at runtime or at build time?
- How to return error message from SQL Server to web page
- Kubernetes connection refused when trying to make http request to pod
- Insert an element in web.config based on key value in appsettings
- How to get StyleRules as a string output using ExCSS Parser
- How can I solve a connection pool problem between ASP.NET and SQL Server?