active-directory-dotnet-webapp-openidconnect-aspnetcore | NET Core web application that signs-in Azure AD | Azure library

I have an ASPNET Core 2 application which I am trying to Authenticate with Azure AD using OpenId. I just have boilerplate code from selecting Single Organization Authentication in the ASPNET Core 2 templates, so no custom code. I followed the article here.

The app is not able to get metadata from the Azure AD application because of proxy. The same URL returns data if I just paste it in browser.

The error I get is:

HttpRequestException: Response status code does not indicate success: 407 (Proxy Authentication Required).

System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() IOException: IDX10804: Unable to retrieve document from: 'https://login.microsoftonline.com/my-tenant-id/.well-known/openid-configuration'.

Microsoft.IdentityModel.Protocols.HttpDocumentRetriever+d__8.MoveNext()

I have another ASPNET 4.5.2 application where I am able to perform authentication with the same Azure AD app as above after setting proxy in code like below:

I am adding Azure AD Authentication to an ASP.NET Core application. The Application is registered in Azure AD and has custom roles setup in the manifest. These roles are used for Authorization policies within the app. Everything is working when users log in, they get redirected to sign in to Azure and come back with a Cookie containing their Claims.

My issue is that unless the Cookie is deleted in the browser, these Claims persist and aren't refreshed when Roles in Azure change. For example if a User signs in, then I remove them from a Role, they will still be seen as in that Role by the application.

I tried setting a 1 minute expiration to the Cookie, but it doesn't have an impact and I still have the same issue. Here is how the auth is configured in Startup. (AddAzureAd() comes from this example: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/blob/master/Extensions/AzureAdAuthenticationBuilderExtensions.cs):

I was able to get this example working https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

My question is how to do something additional after authentication. For example, on a typical Login page, in the POST after validating, I could set a log record for the user or set additional cookies.

With Azure AD integration I'm not sure where to put such code that should be executed only once the user has been authenticated. The reply URL (call back path) does not work for this purpose (I tried putting my custom page here and it really didn't get executed. Apparently the middle-ware creates a special route for that end point so that it can process the login token data)

Any help is appreciated!

I have completed the guide here to add Azure AD authentication to my application:

https://azure.microsoft.com/en-gb/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

and can log in successfully, have a service principal and everything works as expected.

I now want to make web requests as the user, but can't see how to get the authentication details to send in the request, I've tried looking through the ClaimsPrincipal.Current object, but there is nothing i can pass to a HTTP client to make the request.

I am trying to find the access token from AAD after user is authenticated from OpenId Connect. It is a web application integrated with AAD OpenId Connect. I need to get the access token to call another API that uses the same AAD. Here's what I've tried:

1. Clone this sample code.

2. In Startup.cs file, add the following block of code:

   ...

I created an Azure Active Directory Application and applied the code from the following tutorial to enable login: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

After login the following returns my email adress:

I've setup a .NET Core 2.0 webapp with Azure AD using OpenIdConnect (like this one: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore, all the OpenIDConnect configuration is located here).

I have the following scenario:

• call of http://localhost/my-api-function
• redirection to microsoftonline.com
• choose a Microsoft account I haven't already logged in to this app
• enter password
• accept the requested authorizations (the API app registration grants Graph API access to user profile). See the attached screenshot.

• I get redirected to http://localhost/signin-oidc with the following error:

  OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.

I think I may have an incorrect redirection after login. I expect to be redirected to http://localhost/my-api-function rather than http://localhost/signin-oidc

I have another working scenario:

• call of http://localhost/my-api-function
• redirection to microsoftonline.com
• choose a Microsoft account I have already logged in to this app then logged out
• enter password
• not prompted again to accept the requested authorizations (the API app registration grants Graph API access to user profile).
• I get redirected to http://localhost/my-api-function as expected and get my protected data.

In Azure AD, I've configured the following reply-url: http://localhost/signin-oidc and granted both "Windows Azure Active Directory" and "Microsoft Graph" APIs to "sign in and read user profile".

Thanks for any pointers.

Edit of 08/22: I understood that redirection seems to redirect to previous url in authentication flow so posted to MS Forums with this more specific indication to look for a solution.

I have a .NET Core 2.0 application running in a Kubernetes cluster with Linux containers. In front of the application I have an Nginx reverse proxy that is set up with LetsEncrypt, SSL termination, and forwarding http to the app.

My app successfully authenticates and redirects locally (without reverse proxy) and is based on the sample form here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore

When deployed, this setup initially caused issues with the app attempting to authenticate users by switching from https://my.domain.cloudapp.azure.com to http://my.domain.cloudapp.azure.com. As a result my reply URL (https://my.domain.cloudapp.azure.com/signin-oidc) was not being used and I received an error.

I was able to fix this with information from here and here and specifically I added:

I created an Azure Active Directory Application and i want to use role based security. I followed the tutorial on: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

The login works, I added roles to the application manifest and assigned the role Approver to my own account. Now i want to use these roles.

After login the following works in the controller: