-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redeem authCode failing with error in v2.5.0 #2096
Comments
same here |
@michiproep @MrCodeB2 "ClientCredentials": [
{
"SourceType": "ClientSecret",
"ClientSecret": "***"
}
] |
Hi @jmprieur , |
can confirm this makes it impossible for users to login. Only thing that helped is reverting back to 1.26.0 |
@michiproep @Jonathan-a35y @MrCodeB2 |
No, it's a plain asp.net core mvc app. |
@michiproep would you be able to share a repro? |
Using both Issue is with scaffolded templates (dotnet new razor2), but the main points are listed below. Secret is not used on last packages, but is on 1.*. Program.csbuilder.Services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd")); appsettings.json{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "myprivatetenant.onmicrosoft.com",
"TenantId": "random_guid",
"ClientId": "random_guid",
"ClientSecret": "my_super_secret",
"ResponseType": "code",
"CallbackPath": "/signin-oidc",
"ClientCredentials": [
{
"SourceType": "ClientSecret",
"ClientSecret": "my_super_secret"
}
]
},
} |
+1, confirmed this breaks sign-in for an ASP.NET Core Web App that is configured to call the Graph API downstream. Downgrading to 1.26.0 fixes it. |
In the appsettings.json you should have either the ClientSecret, or the client credentials of SourceType: ClientSecret, but not both. |
Well, I tryed all combinations... None of them works. Also setting them in code via confiure(...) |
Neither of them work, tried one at a time in |
I can confirm that ^ |
I tried this both ways. I am using user-secrets to test this locally before promoting to a cloud environment. I added the following user secret keys (my existing configuration section is called AzureAd): |
@Dzeneralen
Then I've created an app in Azure Ad and configured it with a Client Secret. That's my program,cs: using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { "user.read" })
.AddMicrosoftGraph()
.AddInMemoryTokenCaches();
builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy.
options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages()
.AddMicrosoftIdentityUI();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.MapRazorPages();
app.MapControllers();
app.Run(); and the appsettings.json file {
/*
The following identity settings need to be configured
before the project can be successfully executed.
For more info see https://aka.ms/dotnet-template-ms-identity-platform
*/
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain",
"TenantId": "MytenantId",
"ClientId": "MyClientId",
"ClientSecret": "*****"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*"
}
The index.cs page is: using Microsoft.AspNetCore.Mvc.RazorPages;
using Microsoft.Graph;
using Microsoft.Identity.Web;
namespace idweb_bugs.Pages;
[AuthorizeForScopes(Scopes = new string[] { "user.read" })]
public class IndexModel : PageModel
{
GraphServiceClient _grpahServiceClient;
private readonly ILogger<IndexModel> _logger;
public IndexModel(ILogger<IndexModel> logger, GraphServiceClient grpahServiceClient)
{
_logger = logger;
_grpahServiceClient = grpahServiceClient;
}
public async Task OnGet()
{
var me = await _grpahServiceClient.Me.Request().GetAsync();
}
} This works well. How do you specify your secret? In the appsettings.json file? or by code? Also don't you have something empty the the dotnet secret manager? |
I also added this to the appsettings.json (even if this is the default) "ResponseType": "code", and this worked too. @michiproep @paulirwin @MrCodeB2 @Dzeneralen @Jonathan-a35y: |
@michiproep @paulirwin @MrCodeB2 @Dzeneralen @Jonathan-a35y we updated slightly the title and the description of the bug with the repro steps. |
GitHub automatically closed this, reopening. This will be in the 2.6.1 release which should be out this week 3/23-3/24. |
Included in the 2.6.1 release |
I can confirm that this is working now.
and second: Sorry to say, but these 2.x versions are a complete mess currently. |
@michiproep As we explained in the release notes, you need to setup your event handlers with the named options (the authentication scheme). You can use OpenIdConnectOptions or MicrosoftIdentityOptions (OpenIdConnectOptions is more performant). Please see: We can also help you better if you share repro code (when we met, you said you would). If you'd rather meet again, just let us know. We can too. |
@jmprieur Although, I did send you the code twice already, I now created a repo and send the link via email... |
Regarding my last comment, there are some additional issues created by other users now. |
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
2.5.0
Web app
Sign-in users, when the appsetting.json contain
"ResponseType": "code"
,Description
After upgrading to 2.5.0 signIn is not working anymore.
It's failing with
OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: f230550d-2015-4e89-a234-a98a4b718000 Correlation ID: 33e33f36-5a76-4b3d-b8f7-5c56e1724fe7 Timestamp: 2023-03-01 09:56:57Z', error_uri: 'https://login.microsoftonline.com/error?code=7000218'.
although ClientSecret is set in options.
Reproduction steps
just migrate to 2.5.0 and application which overrides the
"ResponseType": "code"
Error message
OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: f230550d-2015-4e89-a234-a98a4b718000 Correlation ID: 33e33f36-5a76-4b3d-b8f7-5c56e1724fe7 Timestamp: 2023-03-01 09:56:57Z', error_uri: 'https://login.microsoftonline.com/error?code=7000218'.
Id Web logs
No response
Relevant code snippets
Regression
1.26.0
Expected behavior
Client_assertion/secret parameter is send with redeemCode request.
The text was updated successfully, but these errors were encountered: