active-directory-dotnet-webapp-openidconnect | NET MVC web application that uses OpenID Connect | Azure library

I have an ASPNET Core 2 application which I am trying to Authenticate with Azure AD using OpenId. I just have boilerplate code from selecting Single Organization Authentication in the ASPNET Core 2 templates, so no custom code. I followed the article here.

The app is not able to get metadata from the Azure AD application because of proxy. The same URL returns data if I just paste it in browser.

The error I get is:

HttpRequestException: Response status code does not indicate success: 407 (Proxy Authentication Required).

System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() IOException: IDX10804: Unable to retrieve document from: 'https://login.microsoftonline.com/my-tenant-id/.well-known/openid-configuration'.

Microsoft.IdentityModel.Protocols.HttpDocumentRetriever+d__8.MoveNext()

I have another ASPNET 4.5.2 application where I am able to perform authentication with the same Azure AD app as above after setting proxy in code like below:

I am adding Azure AD Authentication to an ASP.NET Core application. The Application is registered in Azure AD and has custom roles setup in the manifest. These roles are used for Authorization policies within the app. Everything is working when users log in, they get redirected to sign in to Azure and come back with a Cookie containing their Claims.

My issue is that unless the Cookie is deleted in the browser, these Claims persist and aren't refreshed when Roles in Azure change. For example if a User signs in, then I remove them from a Role, they will still be seen as in that Role by the application.

I tried setting a 1 minute expiration to the Cookie, but it doesn't have an impact and I still have the same issue. Here is how the auth is configured in Startup. (AddAzureAd() comes from this example: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/blob/master/Extensions/AzureAdAuthenticationBuilderExtensions.cs):

I was able to get this example working https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

My question is how to do something additional after authentication. For example, on a typical Login page, in the POST after validating, I could set a log record for the user or set additional cookies.

With Azure AD integration I'm not sure where to put such code that should be executed only once the user has been authenticated. The reply URL (call back path) does not work for this purpose (I tried putting my custom page here and it really didn't get executed. Apparently the middle-ware creates a special route for that end point so that it can process the login token data)

Any help is appreciated!

I have completed the guide here to add Azure AD authentication to my application:

https://azure.microsoft.com/en-gb/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

and can log in successfully, have a service principal and everything works as expected.

I now want to make web requests as the user, but can't see how to get the authentication details to send in the request, I've tried looking through the ClaimsPrincipal.Current object, but there is nothing i can pass to a HTTP client to make the request.

I have tried the azure ad authentication in asp.net web form application from a solution got from Microsoft docs.but is not working.The app is not redirect to Microsoft authorize login page.The error which i got is 401 unauthorized error.I don't know how it throwing.

https://azure.microsoft.com/en-in/resources/samples/active-directory-dotnet-webapp-openidconnect/

this is the link which i referred.

This is my startup.cs

I am trying to find the access token from AAD after user is authenticated from OpenId Connect. It is a web application integrated with AAD OpenId Connect. I need to get the access token to call another API that uses the same AAD. Here's what I've tried:

1. Clone this sample code.

2. In Startup.cs file, add the following block of code:

   ...

I have registered a application using the App Registration (Preview) Blade and added the Azure Service Management API as API Permissions I downloaded the MSAL based Sample from

https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2

Now in startup.auth.cs if i change the Scope i.e keep openid and add https://management.azure.com and then run and try and Login with a Microsoft Account i get the following error

This Doesn't Look like a Work or School Email you cant Sign-in here with Personal Account use your work or School Account Instead.

if i remove the Scope for https://managment.azure.com and just keep Openid profile offline_access i get the Consent Screen and Login

new OpenIdConnectAuthenticationOptions { // The Authority represents the v2.0 endpoint - https://login.microsoftonline.com/common/v2.0 // The Scope describes the initial permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/ ClientId = clientId, Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "common", "/v2.0"), RedirectUri = redirectUri, Scope = "openid https://management.azure.com/.default", PostLogoutRedirectUri = redirectUri,

I am Expecting to have the user Login and Obtain a Token for management API , i am Looking for Reasons for getting the above Error is this Expected ? The Account that i am using exists in my directory as a Member . this works if i use a Managed user(user@tenant.onmicrosoft.com) to Login

I created an Azure Active Directory Application and applied the code from the following tutorial to enable login: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

After login the following returns my email adress:

I've setup a .NET Core 2.0 webapp with Azure AD using OpenIdConnect (like this one: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore, all the OpenIDConnect configuration is located here).

I have the following scenario:

• call of http://localhost/my-api-function
• redirection to microsoftonline.com
• choose a Microsoft account I haven't already logged in to this app
• enter password
• accept the requested authorizations (the API app registration grants Graph API access to user profile). See the attached screenshot.

• I get redirected to http://localhost/signin-oidc with the following error:

  OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.

I think I may have an incorrect redirection after login. I expect to be redirected to http://localhost/my-api-function rather than http://localhost/signin-oidc

I have another working scenario:

• call of http://localhost/my-api-function
• redirection to microsoftonline.com
• choose a Microsoft account I have already logged in to this app then logged out
• enter password
• not prompted again to accept the requested authorizations (the API app registration grants Graph API access to user profile).
• I get redirected to http://localhost/my-api-function as expected and get my protected data.

In Azure AD, I've configured the following reply-url: http://localhost/signin-oidc and granted both "Windows Azure Active Directory" and "Microsoft Graph" APIs to "sign in and read user profile".

Thanks for any pointers.

Edit of 08/22: I understood that redirection seems to redirect to previous url in authentication flow so posted to MS Forums with this more specific indication to look for a solution.