Microsoft-identity-web: [Bug] signInManager.GetExternalLoginInfoAsync() always returns null

Created on 28 Apr 2020  路  24Comments  路  Source: AzureAD/microsoft-identity-web

Which Version of Microsoft Identity Web are you using ?
Microsoft Identity Web 0.1.1-preview

Application

  1. Create new project -> ASP.NET Core Web Application -> Web Application (Model-View-Controller). Authentication: Individual User Accounts (Store user accounts in-app).
  2. Replace AddAzureAd with AddSignIn

for details see https://github.com/AzureAD/microsoft-identity-web/issues/133#issuecomment-621042225 below

In this I only added two things:
Where is the issue?
-> Sign-in user

In our application we use .NET Core Identity Framework (local DB) and external login provider. So we have multiple authentication provider and some users sign in directly (via .NET Core Identity Framework) and some via AAD.
Calling signInManager.GetExternalLoginInfoAsync() leads to null return value with the updated code.
Maybe it has to do with the appsettings property "CookieSchemeName": "Identity.External". Because this was necessary to get external AAD login working. As stated here. Maybe it will be ignored by now.

So we replaced the following code:

services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
    .AddAzureAD(options => Configuration.Bind("AzureAd", options));

with that one:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddSignIn(Configuration, "AzureAd", subscribeToOpenIdConnectMiddlewareDiagnosticsEvents: true);

appsettings.json section was not modified:

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "xyz.com",
    "TenantId": "AEEE9884-9E13-41E7-A25F-304C44407A78",
    "ClientId": "787EBDED-B77E-4CFC-BAA0-2D2B00C41B4F",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath ": "/signout-callback-oidc",
    "CookieSchemeName": "Identity.External"
}

Login with the "old" code leads to the following log entries:

Anforderung gestartet: "POST" https://localhost:44338/Account/ExternalLogin?returnurl=%2F
[11:51:27 INF] Request starting HTTP/2.0 POST https://localhost:44338/Account/ExternalLogin?returnurl=%2F application/x-www-form-urlencoded 199
[11:51:27 DBG] POST requests are not supported
[11:51:27 DBG] 1 candidate(s) found for the request path '/Account/ExternalLogin'
[11:51:27 DBG] Endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)' with route pattern '{controller=Home}/{action=Index}/{id?}' is valid for the request path '/Account/ExternalLogin'
[11:51:27 DBG] Request matched endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[11:51:27 DBG] AuthenticationScheme: Identity.Application was not authenticated.
[11:51:27 INF] Executing endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[11:51:27 INF] Route matched with {action = "ExternalLogin", controller = "Account", area = "", page = ""}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult ExternalLogin(System.String, System.String) on controller Monitoring.Controllers.AccountController (ToSec.Presentation).
[11:51:27 DBG] Execution plan of authorization filters (in the following order): ["Microsoft.AspNetCore.Mvc.RequireHttpsAttribute (Order: -2147483598)", "Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter"]
[11:51:27 DBG] Execution plan of resource filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[11:51:27 DBG] Execution plan of action filters (in the following order): ["Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter (Order: -2147483648)", "Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000)", "ToSec.Presentation.Filters.GlobalActionFilter"]
[11:51:27 DBG] Execution plan of exception filters (in the following order): ["None"]
[11:51:27 DBG] Execution plan of result filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[11:51:27 DBG] Antiforgery successfully validated a request.
[11:51:27 DBG] Executing controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[11:51:27 DBG] Executed controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[11:51:27 DBG] Attempting to bind parameter 'provider' of type 'System.String' ...
[11:51:27 DBG] Attempting to bind parameter 'provider' of type 'System.String' using the name 'provider' in request data ...
[11:51:27 DBG] Done attempting to bind parameter 'provider' of type 'System.String'.
[11:51:27 DBG] Done attempting to bind parameter 'provider' of type 'System.String'.
[11:51:27 DBG] Attempting to validate the bound parameter 'provider' of type 'System.String' ...
[11:51:27 DBG] Done attempting to validate the bound parameter 'provider' of type 'System.String'.
[11:51:27 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' ...
[11:51:27 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' using the name 'returnUrl' in request data ...
[11:51:27 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[11:51:27 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[11:51:27 DBG] Attempting to validate the bound parameter 'returnUrl' of type 'System.String' ...
[11:51:27 DBG] Done attempting to validate the bound parameter 'returnUrl' of type 'System.String'.
[11:51:27 DBG] Found the endpoints ["Route: {controller=Home}/{action=Index}/{id?}"] for address Microsoft.AspNetCore.Routing.RouteValuesAddress
[11:51:27 DBG] Successfully processed template {controller=Home}/{action=Index}/{id?} for Route: {controller=Home}/{action=Index}/{id?} resulting in /Account/ExternalLoginCallback and ?ReturnUrl=%2F
[11:51:27 DBG] Link generation succeeded for endpoints ["Route: {controller=Home}/{action=Index}/{id?}"] with result /Account/ExternalLoginCallback?ReturnUrl=%2F
[11:51:27 INF] Executing ChallengeResult with authentication schemes (["AzureAD"]).
[11:51:28 DBG] HandleChallenge with Location: https://login.microsoftonline.com/AEEE9884-9E13-41E7-A25F-304C44407A78/oauth2/authorize?client_id=787EBDED-B77E-4CFC-BAA0-2D2B00C41B4F&redirect_uri=https%3A%2F%2Flocalhost%3A44338%2Fsignin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=637236642882492420.OGM1ZjUwYmQtNDhlNy00MjBhLTgwOGQtNjJiMmI3MDhmYWU1ODQwNzMyYmItZWZhMy00MjU4LWFlOTUtNWYxMDNhNDVlZTZj&state=CfDJ8DR5ohJGZplEj7fE6niEf5TIKMEHyRD-oDyJtjJbZcP6NIYNFr0sxKhd_tM0GOUeD0V-3YOM-0ZN0IQAgzVxqmVT-gd3huPfKtjoeUwE3XeBqh90cmNRV1GA272tumVVvtus4mvzfvFV86lXKgZNAj5L45PtvUbFqaNSxOedOxqA5Z-iryRClLHJGEgzRPTKaVFPKGP9HIao84jWLj2I1Vt_D4LW_upKDHMe9pKyz44sOtKqk5QZBBi-L5vUTwWlvmCneQAf_-HK9FDmh7jxfFN1ivv1y4vizTCjbPhYmKu9Asg0y161fHJUGjXFXjizyM5d--AaIpOjYVoOkhUs7uQP65_tGIDvLuaHoQitGEECRbZ323FzDy4BJGedvN2Lig&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0; and Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8DR5ohJGZplEj7fE6niEf5QkFlfME3SuURGltzRK9258MMeLcTGJ4L9xT4IsOorGHJP6h6QnzMomF3KcTPNXm8W9sucd8y0k9-evg9Js7m1sOKX9S2U3PDqU3-vDyN_gTvY2wzWhrX5vV2m7RuHP8Gg3pP4Rei8XWYz_kHT0qKLw6CP4C--YUzRA0_EIrySyz7L78WS4L-jJG3yy6m2Qg8v0aUt08VfTZXnD80T77zn6xTy2IvALDXCwWZEuyfva3XafcS1vpd-UkwWiLKoyWWU=N; expires=Tue, 28 Apr 2020 10:06:28 GMT; path=/signin-oidc; secure; samesite=none; httponly,.AspNetCore.Correlation.AzureADOpenID.gSC-tfIIol9Bk8uJuoIMlrNGq4mmXHPXYc1-5p2xhoE=N; expires=Tue, 28 Apr 2020 10:06:28 GMT; path=/signin-oidc; secure; samesite=none; httponly.
[11:51:28 INF] AuthenticationScheme: AzureADOpenID was challenged.
[11:51:28 INF] Executed action Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation) in 606.8715ms
[11:51:28 INF] Executed endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[11:51:28 INF] HTTP POST /Account/ExternalLogin?returnurl=%2F responded 302 in 644.2759 ms
Response sent: https://localhost:44338/Account/ExternalLogin?returnurl=%2F with HTTP status 302.0
Response sent: https://localhost:44338/Account/ExternalLogin?returnurl=%2F with HTTP status 302.0
[11:51:28 INF] Request finished in 652.3097ms 302 
Response sent: https://localhost:44338/Account/ExternalLogin?returnurl=%2F with HTTP status 302.0
Anforderung gestartet: "POST" https://localhost:44338/signin-oidc
[11:51:28 INF] Request starting HTTP/2.0 POST https://localhost:44338/signin-oidc application/x-www-form-urlencoded 1907
[11:51:28 DBG] POST requests are not supported
[11:51:28 DBG] No candidates found for the request path '/signin-oidc'
[11:51:28 DBG] Request did not match any endpoints
[11:51:28 DBG] Updating configuration
[11:51:28 DBG] Received 'id_token'
[11:51:28 INF] AuthenticationScheme: Identity.External signed in.
[11:51:28 INF] HTTP POST /signin-oidc responded 302 in 208.8467 ms
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
[11:51:28 INF] Request finished in 212.6102ms 302 
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
Anforderung gestartet: "GET" https://localhost:44338/Account/ExternalLoginCallback?ReturnUrl=%2F
[11:51:28 INF] Request starting HTTP/2.0 GET https://localhost:44338/Account/ExternalLoginCallback?ReturnUrl=%2F  
[11:51:28 DBG] The request path /Account/ExternalLoginCallback does not match a supported file type
[11:51:28 DBG] 1 candidate(s) found for the request path '/Account/ExternalLoginCallback'
[11:51:28 DBG] Endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)' with route pattern '{controller=Home}/{action=Index}/{id?}' is valid for the request path '/Account/ExternalLoginCallback'
[11:51:28 DBG] Request matched endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)'
[11:51:28 DBG] AuthenticationScheme: Identity.Application was not authenticated.
[11:51:28 INF] Executing endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)'
[11:51:28 INF] Route matched with {action = "ExternalLoginCallback", controller = "Account", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] ExternalLoginCallback(System.String, System.String) on controller Monitoring.Controllers.AccountController (ToSec.Presentation).
[11:51:28 DBG] Execution plan of authorization filters (in the following order): ["Microsoft.AspNetCore.Mvc.RequireHttpsAttribute (Order: -2147483598)"]
[11:51:28 DBG] Execution plan of resource filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[11:51:28 DBG] Execution plan of action filters (in the following order): ["Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter (Order: -2147483648)", "Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000)", "ToSec.Presentation.Filters.GlobalActionFilter"]
[11:51:28 DBG] Execution plan of exception filters (in the following order): ["None"]
[11:51:28 DBG] Execution plan of result filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[11:51:28 DBG] Executing controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[11:51:28 DBG] Executed controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[11:51:28 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' ...
[11:51:28 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' using the name 'returnUrl' in request data ...
[11:51:28 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[11:51:28 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[11:51:28 DBG] Attempting to validate the bound parameter 'returnUrl' of type 'System.String' ...
[11:51:28 DBG] Done attempting to validate the bound parameter 'returnUrl' of type 'System.String'.
[11:51:28 DBG] Attempting to bind parameter 'remoteError' of type 'System.String' ...
[11:51:28 DBG] Could not find a value in the request with name '' for binding parameter 'remoteError' of type 'System.String'.
[11:51:28 DBG] Done attempting to bind parameter 'remoteError' of type 'System.String'.
[11:51:28 DBG] Done attempting to bind parameter 'remoteError' of type 'System.String'.
[11:51:28 DBG] Attempting to validate the bound parameter 'remoteError' of type 'System.String' ...
[11:51:28 DBG] Done attempting to validate the bound parameter 'remoteError' of type 'System.String'.
[11:51:28 DBG] AuthenticationScheme: Identity.External was successfully authenticated.

Login with the "new" code leads to the following log entries:

Anforderung gestartet: "POST" https://localhost:44338/Account/ExternalLogin?returnurl=%2F
[11:57:48 INF] Request starting HTTP/2.0 POST https://localhost:44338/Account/ExternalLogin?returnurl=%2F application/x-www-form-urlencoded 205
[11:57:48 DBG] POST requests are not supported
[11:57:48 DBG] 1 candidate(s) found for the request path '/Account/ExternalLogin'
[11:57:48 DBG] Endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)' with route pattern '{controller=Home}/{action=Index}/{id?}' is valid for the request path '/Account/ExternalLogin'
[11:57:48 DBG] Request matched endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[11:57:48 DBG] AuthenticationScheme: Identity.Application was not authenticated.
[11:57:48 INF] Executing endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[11:57:48 INF] Route matched with {action = "ExternalLogin", controller = "Account"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult ExternalLogin(System.String, System.String) on controller Monitoring.Controllers.AccountController (ToSec.Presentation).
[11:57:48 DBG] Execution plan of authorization filters (in the following order): ["Microsoft.AspNetCore.Mvc.RequireHttpsAttribute (Order: -2147483598)", "Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter"]
[11:57:48 DBG] Execution plan of resource filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[11:57:48 DBG] Execution plan of action filters (in the following order): ["Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter (Order: -2147483648)", "Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000)", "ToSec.Presentation.Filters.GlobalActionFilter"]
[11:57:48 DBG] Execution plan of exception filters (in the following order): ["None"]
[11:57:48 DBG] Execution plan of result filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[11:57:48 DBG] Antiforgery successfully validated a request.
[11:57:48 DBG] Executing controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[11:57:48 DBG] Executed controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[11:57:48 DBG] Attempting to bind parameter 'provider' of type 'System.String' ...
[11:57:48 DBG] Attempting to bind parameter 'provider' of type 'System.String' using the name 'provider' in request data ...
[11:57:48 DBG] Done attempting to bind parameter 'provider' of type 'System.String'.
[11:57:48 DBG] Done attempting to bind parameter 'provider' of type 'System.String'.
[11:57:48 DBG] Attempting to validate the bound parameter 'provider' of type 'System.String' ...
[11:57:48 DBG] Done attempting to validate the bound parameter 'provider' of type 'System.String'.
[11:57:48 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' ...
[11:57:48 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' using the name 'returnUrl' in request data ...
[11:57:48 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[11:57:48 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[11:57:48 DBG] Attempting to validate the bound parameter 'returnUrl' of type 'System.String' ...
[11:57:48 DBG] Done attempting to validate the bound parameter 'returnUrl' of type 'System.String'.
[11:57:48 DBG] Found the endpoints ["Route: {controller=Home}/{action=Index}/{id?}"] for address Microsoft.AspNetCore.Routing.RouteValuesAddress
[11:57:48 DBG] Successfully processed template {controller=Home}/{action=Index}/{id?} for Route: {controller=Home}/{action=Index}/{id?} resulting in /Account/ExternalLoginCallback and ?ReturnUrl=%2F
[11:57:48 DBG] Link generation succeeded for endpoints ["Route: {controller=Home}/{action=Index}/{id?}"] with result /Account/ExternalLoginCallback?ReturnUrl=%2F
[11:57:48 INF] Executing ChallengeResult with authentication schemes (["OpenIdConnect"]).
[11:57:48 DBG] 1. Begin OnRedirectToIdentityProviderAsync
[11:57:48 DBG]    Sending OpenIdConnect message:
[11:57:48 DBG]    - ClientId=787EBDED-B77E-4CFC-BAA0-2D2B00C41B4F
[11:57:48 DBG]    - EnableTelemetryParameters=True
[11:57:48 DBG]    - EnableTelemetryParametersByDefault=True
[11:57:48 DBG]    - Nonce=637236646687340282.ZDU4MTE0YzQtODlhNC00YzVkLWJlYzMtZGQ2ZTU2NGRkMmRiZDIwYjFiMzEtODUyZS00YmYwLWIzM2EtMGE4OGQ5N2Y0OTNh
[11:57:48 DBG]    - RedirectUri=https://localhost:44338/signin-oidc
[11:57:48 DBG]    - RequestType=Authentication
[11:57:48 DBG]    - ResponseMode=form_post
[11:57:48 DBG]    - ResponseType=id_token
[11:57:48 DBG]    - Scope=openid profile
[11:57:48 DBG]    - SkuTelemetryValue=ID_NETSTANDARD2_0
[11:57:48 DBG]    - IssuerAddress=https://login.microsoftonline.com/dc242542-da90-4334-90e6-9271f2d1f21e/oauth2/v2.0/authorize
[11:57:48 DBG]    - Parameters=System.Collections.Generic.Dictionary`2[System.String,System.String]
[11:57:48 DBG]    - PostTitle=Working...
[11:57:48 DBG]    - Script=<script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
[11:57:48 DBG]    - ScriptButtonText=Submit
[11:57:48 DBG]    - ScriptDisabledText=Script is disabled. Click Submit to continue.
[11:57:48 DBG] 1. End - OnRedirectToIdentityProviderAsync
[11:57:48 DBG] HandleChallenge with Location: https://login.microsoftonline.com/AEEE9884-9E13-41E7-A25F-304C44407A78/oauth2/v2.0/authorize?client_id=787EBDED-B77E-4CFC-BAA0-2D2B00C41B4F&redirect_uri=https%3A%2F%2Flocalhost%3A44338%2Fsignin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=637236646687340282.ZDU4MTE0YzQtODlhNC00YzVkLWJlYzMtZGQ2ZTU2NGRkMmRiZDIwYjFiMzEtODUyZS00YmYwLWIzM2EtMGE4OGQ5N2Y0OTNh&state=CfDJ8DR5ohJGZplEj7fE6niEf5S2C6OCw-M1evKq_337mbU9PBMC1Ht9Ao5xNoce0d62cIlPvoFb5E8LLiArmXC2jAjpaFrHOMRML7oLaE3M6AMteYt-sYTnmlG7kcwkZgT7QM4bO4-c4L8K5KmJTmN_lpYs19Qif1keXM7jPiht7YBy-FClqm2cSrrNzDeXCjPVN7DiVDUoygQ3phlCapglxCphIcEn-HkVYQseLWDCwfdj51vl3NMze9YGWojBYMTxtNndY_b_pH0aVO76IkvR6Rf8kh6HlkX6w8OkXl8qB0DGexNh5YXR5pb98GtnstasV8WCm-MyKrXZFbSMX3A72f-I0FIneeiQikZ1VP4Se8L0gWNVPL9jLa4xZxDXBOCrQCHlUkEuC_QO5KIKj9AzlpQ&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0; and Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8DR5ohJGZplEj7fE6niEf5RrLor66Y_-5OrVyG5Fq9emKvC2nf1AkED8NOjrnxZfpifC8JdUw7Khup8ep05a65GSwXaT7O3g6dPlam_ZsIQGb2Mr4-Mnh7AnQWS9vTnG9Oj1GUF449ZUqDroEPnQOiqeRveQzswfADYBAhbjexOcJ9WqcsNcc3MF5PCt8GnvQdDdrbaCQz5Sqg0xZ-03ATi9TBgs3z5YVEVieUlFpllaRFYzENxFJreVjdGaAo8Zo4WkVCu6qz9qR7wZEMzcpgY=N; expires=Tue, 28 Apr 2020 10:12:48 GMT; path=/signin-oidc; secure; samesite=none; httponly,.AspNetCore.Correlation.OpenIdConnect.9TUfulEgkJ30nsYk-XwNP-w_Kt4xSe5IkpoLvBosM18=N; expires=Tue, 28 Apr 2020 10:12:48 GMT; path=/signin-oidc; secure; samesite=none; httponly.
[11:57:48 INF] AuthenticationScheme: OpenIdConnect was challenged.
[11:57:48 INF] Executed action Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation) in 11.6731ms
[11:57:48 INF] Executed endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[11:57:48 INF] HTTP POST /Account/ExternalLogin?returnurl=%2F responded 302 in 15.9658 ms
Response sent: https://localhost:44338/Account/ExternalLogin?returnurl=%2F with HTTP status 302.0
[11:57:48 INF] Request finished in 18.7003ms 302 
[11:57:48 DBG] Connection ID "17654110545197924495" disconnecting.
Response sent: https://localhost:44338/Account/ExternalLogin?returnurl=%2F with HTTP status 302.0
Anforderung gestartet: "POST" https://localhost:44338/signin-oidc
[11:57:49 INF] Request starting HTTP/2.0 POST https://localhost:44338/signin-oidc application/x-www-form-urlencoded 1774
[11:57:49 DBG] POST requests are not supported
[11:57:49 DBG] No candidates found for the request path '/signin-oidc'
[11:57:49 DBG] Request did not match any endpoints
[11:57:49 DBG] 2. Begin OnMessageReceivedAsync
[11:57:49 DBG]    Received from STS the OpenIdConnect message:
[11:57:49 DBG]    - EnableTelemetryParameters=True
[11:57:49 DBG]    - EnableTelemetryParametersByDefault=True
[11:57:49 DBG]    - IdToken=Id-Token is set but I removed it from log entry
[11:57:49 DBG]    - RequestType=Authentication
[11:57:49 DBG]    - SessionState=16d0f1fd-df4c-4af7-984c-78de75ac8849
[11:57:49 DBG]    - SkuTelemetryValue=ID_NETSTANDARD2_0
[11:57:49 DBG]    - IssuerAddress=
[11:57:49 DBG]    - Parameters=System.Collections.Generic.Dictionary`2[System.String,System.String]
[11:57:49 DBG]    - PostTitle=Working...
[11:57:49 DBG]    - Script=<script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
[11:57:49 DBG]    - ScriptButtonText=Submit
[11:57:49 DBG]    - ScriptDisabledText=Script is disabled. Click Submit to continue.
[11:57:49 DBG] 2. End - OnMessageReceivedAsync
[11:57:49 DBG] Updating configuration
[11:57:49 DBG] Received 'id_token'
[11:57:49 DBG] 3. Begin OnTokenValidatedAsync
[11:57:49 DBG] 3. End - OnTokenValidatedAsync
[11:57:49 INF] AuthenticationScheme: Cookies signed in.
[11:57:49 INF] HTTP POST /signin-oidc responded 302 in 11.9594 ms
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
[11:57:49 INF] Request finished in 13.988ms 302 
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
Anforderung gestartet: "GET" https://localhost:44338/Account/ExternalLoginCallback?ReturnUrl=%2F
[11:57:49 INF] Request starting HTTP/2.0 GET https://localhost:44338/Account/ExternalLoginCallback?ReturnUrl=%2F  
[11:57:49 DBG] The request path /Account/ExternalLoginCallback does not match a supported file type
[11:57:49 DBG] 1 candidate(s) found for the request path '/Account/ExternalLoginCallback'
[11:57:49 DBG] Endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)' with route pattern '{controller=Home}/{action=Index}/{id?}' is valid for the request path '/Account/ExternalLoginCallback'
[11:57:49 DBG] Request matched endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)'
[11:57:49 DBG] AuthenticationScheme: Identity.Application was not authenticated.
[11:57:49 INF] Executing endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)'
[11:57:49 INF] Route matched with {action = "ExternalLoginCallback", controller = "Account"}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] ExternalLoginCallback(System.String, System.String) on controller Monitoring.Controllers.AccountController (ToSec.Presentation).
[11:57:49 DBG] Execution plan of authorization filters (in the following order): ["Microsoft.AspNetCore.Mvc.RequireHttpsAttribute (Order: -2147483598)"]
[11:57:49 DBG] Execution plan of resource filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[11:57:49 DBG] Execution plan of action filters (in the following order): ["Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter (Order: -2147483648)", "Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000)", "ToSec.Presentation.Filters.GlobalActionFilter"]
[11:57:49 DBG] Execution plan of exception filters (in the following order): ["None"]
[11:57:49 DBG] Execution plan of result filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[11:57:49 DBG] Executing controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[11:57:49 DBG] Executed controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[11:57:49 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' ...
[11:57:49 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' using the name 'returnUrl' in request data ...
[11:57:49 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[11:57:49 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[11:57:49 DBG] Attempting to validate the bound parameter 'returnUrl' of type 'System.String' ...
[11:57:49 DBG] Done attempting to validate the bound parameter 'returnUrl' of type 'System.String'.
[11:57:49 DBG] Attempting to bind parameter 'remoteError' of type 'System.String' ...
[11:57:49 DBG] Could not find a value in the request with name '' for binding parameter 'remoteError' of type 'System.String'.
[11:57:49 DBG] Done attempting to bind parameter 'remoteError' of type 'System.String'.
[11:57:49 DBG] Done attempting to bind parameter 'remoteError' of type 'System.String'.
[11:57:49 DBG] Attempting to validate the bound parameter 'remoteError' of type 'System.String' ...
[11:57:49 DBG] Done attempting to validate the bound parameter 'remoteError' of type 'System.String'.
[11:57:49 DBG] AuthenticationScheme: Identity.External was not authenticated.
enhancement fixed

Most helpful comment

Thanks!
I found that this works works well:
services.AddAuthentication() .AddMicrosoftIdentityWebApp(Configuration,"AzureAd", "AzureAD", cookieScheme: null);

With the "AzureAD" it will look for the existing entry in "AspNetUserLogins" table, without it you may get some issues as it will try to register the user and then give an error saying that the email already exist.

All 24 comments

@ManuelHaas

AddSignIn has several parameters that you might want to change in that case (in particular the scheme name). When you were using .AddAzureAd, the scheme name was AzureAD, now it's "OpenIdConnect", and I suspect that it conflicts with Identity.

Do you want to change the scheme name? (for instance use "AzureAd")

services.AddSignIn(Configuration, "AzureAd", "SomeOtherSchemeName")

@jmprieur Thank you for your reply. Unfortunately this did not bring success: I tried both:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
   .AddSignIn(Configuration, "AzureAd", openIdConnectScheme:AzureADDefaults.AuthenticationScheme, subscribeToOpenIdConnectMiddlewareDiagnosticsEvents: true);

and

services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
   .AddSignIn(Configuration, "AzureAd", openIdConnectScheme:AzureADDefaults.AuthenticationScheme, subscribeToOpenIdConnectMiddlewareDiagnosticsEvents: true);

Both leads to the result:

Anforderung gestartet: "POST" https://localhost:44338/Account/ExternalLogin?returnurl=%2F
[13:33:49 INF] Request starting HTTP/2.0 POST https://localhost:44338/Account/ExternalLogin?returnurl=%2F application/x-www-form-urlencoded 199
[13:33:49 DBG] POST requests are not supported
[13:33:49 DBG] 1 candidate(s) found for the request path '/Account/ExternalLogin'
[13:33:49 DBG] Endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)' with route pattern '{controller=Home}/{action=Index}/{id?}' is valid for the request path '/Account/ExternalLogin'
[13:33:49 DBG] Request matched endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[13:33:49 DBG] AuthenticationScheme: Identity.Application was not authenticated.
[13:33:49 INF] Executing endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[13:33:49 INF] Route matched with {action = "ExternalLogin", controller = "Account"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult ExternalLogin(System.String, System.String) on controller Monitoring.Controllers.AccountController (ToSec.Presentation).
[13:33:49 DBG] Execution plan of authorization filters (in the following order): ["Microsoft.AspNetCore.Mvc.RequireHttpsAttribute (Order: -2147483598)", "Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter"]
[13:33:49 DBG] Execution plan of resource filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[13:33:49 DBG] Execution plan of action filters (in the following order): ["Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter (Order: -2147483648)", "Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000)", "ToSec.Presentation.Filters.GlobalActionFilter"]
[13:33:49 DBG] Execution plan of exception filters (in the following order): ["None"]
[13:33:49 DBG] Execution plan of result filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[13:33:49 DBG] Antiforgery successfully validated a request.
[13:33:49 DBG] Executing controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[13:33:49 DBG] Executed controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[13:33:49 DBG] Attempting to bind parameter 'provider' of type 'System.String' ...
[13:33:49 DBG] Attempting to bind parameter 'provider' of type 'System.String' using the name 'provider' in request data ...
[13:33:49 DBG] Done attempting to bind parameter 'provider' of type 'System.String'.
[13:33:49 DBG] Done attempting to bind parameter 'provider' of type 'System.String'.
[13:33:49 DBG] Attempting to validate the bound parameter 'provider' of type 'System.String' ...
[13:33:49 DBG] Done attempting to validate the bound parameter 'provider' of type 'System.String'.
[13:33:49 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' ...
[13:33:49 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' using the name 'returnUrl' in request data ...
[13:33:49 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[13:33:49 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[13:33:49 DBG] Attempting to validate the bound parameter 'returnUrl' of type 'System.String' ...
[13:33:49 DBG] Done attempting to validate the bound parameter 'returnUrl' of type 'System.String'.
[13:33:49 DBG] Found the endpoints ["Route: {controller=Home}/{action=Index}/{id?}"] for address Microsoft.AspNetCore.Routing.RouteValuesAddress
[13:33:49 DBG] Successfully processed template {controller=Home}/{action=Index}/{id?} for Route: {controller=Home}/{action=Index}/{id?} resulting in /Account/ExternalLoginCallback and ?ReturnUrl=%2F
[13:33:49 DBG] Link generation succeeded for endpoints ["Route: {controller=Home}/{action=Index}/{id?}"] with result /Account/ExternalLoginCallback?ReturnUrl=%2F
[13:33:49 INF] Executing ChallengeResult with authentication schemes (["AzureAD"]).
[13:33:50 DBG] 1. Begin OnRedirectToIdentityProviderAsync
[13:33:50 DBG]    Sending OpenIdConnect message:
[13:33:50 DBG]    - ClientId=787EBDED-B77E-4CFC-BAA0-2D2B00C41B4F
[13:33:50 DBG]    - EnableTelemetryParameters=True
[13:33:50 DBG]    - EnableTelemetryParametersByDefault=True
[13:33:50 DBG]    - Nonce=637236704303735868.N2VhNTM4N2ItZTg1Yi00MTAxLWJkYWItYTdhODI4MzQ4Yzc2ZDRlYzNlOWYtMDU4ZS00ODlmLTg1ZjMtOTVlMjI5NGNlNGM2
[13:33:50 DBG]    - RedirectUri=https://localhost:44338/signin-oidc
[13:33:50 DBG]    - RequestType=Authentication
[13:33:50 DBG]    - ResponseMode=form_post
[13:33:50 DBG]    - ResponseType=id_token
[13:33:50 DBG]    - Scope=openid profile
[13:33:50 DBG]    - SkuTelemetryValue=ID_NETSTANDARD2_0
[13:33:50 DBG]    - IssuerAddress=https://login.microsoftonline.com/AEEE9884-9E13-41E7-A25F-304C44407A78/oauth2/v2.0/authorize
[13:33:50 DBG]    - Parameters=System.Collections.Generic.Dictionary`2[System.String,System.String]
[13:33:50 DBG]    - PostTitle=Working...
[13:33:50 DBG]    - Script=<script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
[13:33:50 DBG]    - ScriptButtonText=Submit
[13:33:50 DBG]    - ScriptDisabledText=Script is disabled. Click Submit to continue.
[13:33:50 DBG] 1. End - OnRedirectToIdentityProviderAsync
[13:33:50 DBG] HandleChallenge with Location: https://login.microsoftonline.com/AEEE9884-9E13-41E7-A25F-304C44407A78/oauth2/v2.0/authorize?client_id=787EBDED-B77E-4CFC-BAA0-2D2B00C41B4F&redirect_uri=https%3A%2F%2Flocalhost%3A44338%2Fsignin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=637236704303735868.N2VhNTM4N2ItZTg1Yi00MTAxLWJkYWItYTdhODI4MzQ4Yzc2ZDRlYzNlOWYtMDU4ZS00ODlmLTg1ZjMtOTVlMjI5NGNlNGM2&state=CfDJ8DR5ohJGZplEj7fE6niEf5T33Qa9-xXbAzp8UvvLqBuJDpc6b7GH4hPwFLOU5-Xrog2CaHObyf0rHIZGJX2pt5z_hTkQP4B2785L9E_pfE6-VCTwMAVrYIatGsa1xghYvZ47RTw2nsVxGTx4aup8yxfzrj5gqtYGFdE5E-60a1BtfmAhG0aFVX-kALK8_j70MuPcNds2tCMD8Tbzz_ayye8yr16c-GrgU_Rkdr62Q0gD0-P5HG1Af23PJxqkkXWZcDYxCJoCb_cJewZiYeJIEnf2HJXzIQ_sSvGrNNqKCmyN1gbMF6ykYTXxCG7fYCh7xAPU2iy9UlzXC9oDwj5PhHbF1h5RxKc6vQfA48fuYxcm1BUl6x2j_kEgidiJn4zLzw&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0; and Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8DR5ohJGZplEj7fE6niEf5SRdM_rvIbxR60K_od-ei7L-7n7dKs4dhMdFwpIrSIz9gyL3VXfPWSVGPN0ZrWsxMVLLlmGz4NRFm5-jwozWrxd7YNg31yFxda-Dnk19BjUURTia2miKE11wmEILDpbgK0HhHUJnX5pZndbdvg-nlmWydM-hUsY0fOqXhrIJnDjHjOjM_vfiIcVMGsZrBM3AvHNrY8C9PBGIohESvGiWSnO6ma6RilFXG_sOSBaKC8ap1DQoOLZE3OsEBsWRsVbfFk=N; expires=Tue, 28 Apr 2020 11:48:50 GMT; path=/signin-oidc; secure; samesite=none; httponly,.AspNetCore.Correlation.AzureAD.83ydwVuVUeWGsZ8jA_ZK0F7qLT4kSAn9rcbb4heCFEA=N; expires=Tue, 28 Apr 2020 11:48:50 GMT; path=/signin-oidc; secure; samesite=none; httponly.
[13:33:50 INF] AuthenticationScheme: AzureAD was challenged.
[13:33:50 INF] Executed action Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation) in 483.5427ms
[13:33:50 INF] Executed endpoint 'Monitoring.Controllers.AccountController.ExternalLogin (ToSec.Presentation)'
[13:33:50 INF] HTTP POST /Account/ExternalLogin?returnurl=%2F responded 302 in 513.8096 ms
Response sent: https://localhost:44338/Account/ExternalLogin?returnurl=%2F with HTTP status 302.0
Response sent: https://localhost:44338/Account/ExternalLogin?returnurl=%2F with HTTP status 302.0
[13:33:50 INF] Request finished in 518.2719ms 302 
Response sent: https://localhost:44338/Account/ExternalLogin?returnurl=%2F with HTTP status 302.0
Anforderung gestartet: "POST" https://localhost:44338/signin-oidc
[13:33:51 INF] Request starting HTTP/2.0 POST https://localhost:44338/signin-oidc application/x-www-form-urlencoded 1753
[13:33:51 DBG] POST requests are not supported
[13:33:51 DBG] No candidates found for the request path '/signin-oidc'
[13:33:51 DBG] Request did not match any endpoints
[13:33:51 DBG] 2. Begin OnMessageReceivedAsync
[13:33:51 DBG]    Received from STS the OpenIdConnect message:
[13:33:51 DBG]    - EnableTelemetryParameters=True
[13:33:51 DBG]    - EnableTelemetryParametersByDefault=True
[13:33:51 DBG]    - IdToken=Id-Token is set but I removed it from log entry
[13:33:51 DBG]    - RequestType=Authentication
[13:33:51 DBG]    - SessionState=16d0f1fd-df4c-4af7-984c-78de75ac8849
[13:33:51 DBG]    - SkuTelemetryValue=ID_NETSTANDARD2_0
[13:33:51 DBG]    - IssuerAddress=
[13:33:51 DBG]    - Parameters=System.Collections.Generic.Dictionary`2[System.String,System.String]
[13:33:51 DBG]    - PostTitle=Working...
[13:33:51 DBG]    - Script=<script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
[13:33:51 DBG]    - ScriptButtonText=Submit
[13:33:51 DBG]    - ScriptDisabledText=Script is disabled. Click Submit to continue.
[13:33:51 DBG] 2. End - OnMessageReceivedAsync
[13:33:51 DBG] Updating configuration
[13:33:51 DBG] Received 'id_token'
[13:33:51 DBG] 3. Begin OnTokenValidatedAsync
[13:33:51 DBG] 3. End - OnTokenValidatedAsync
[13:33:51 INF] AuthenticationScheme: Cookies signed in.
[13:33:51 INF] HTTP POST /signin-oidc responded 302 in 192.6680 ms
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
[13:33:51 INF] Request finished in 196.6965ms 302 
Response sent: https://localhost:44338/signin-oidc with HTTP status 302.0
Anforderung gestartet: "GET" https://localhost:44338/Account/ExternalLoginCallback?ReturnUrl=%2F
[13:33:51 INF] Request starting HTTP/2.0 GET https://localhost:44338/Account/ExternalLoginCallback?ReturnUrl=%2F  
[13:33:51 DBG] The request path /Account/ExternalLoginCallback does not match a supported file type
[13:33:51 DBG] 1 candidate(s) found for the request path '/Account/ExternalLoginCallback'
[13:33:51 DBG] Endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)' with route pattern '{controller=Home}/{action=Index}/{id?}' is valid for the request path '/Account/ExternalLoginCallback'
[13:33:51 DBG] Request matched endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)'
[13:33:51 DBG] AuthenticationScheme: Identity.Application was not authenticated.
[13:33:51 INF] Executing endpoint 'Monitoring.Controllers.AccountController.ExternalLoginCallback (ToSec.Presentation)'
[13:33:51 INF] Route matched with {action = "ExternalLoginCallback", controller = "Account"}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] ExternalLoginCallback(System.String, System.String) on controller Monitoring.Controllers.AccountController (ToSec.Presentation).
[13:33:51 DBG] Execution plan of authorization filters (in the following order): ["Microsoft.AspNetCore.Mvc.RequireHttpsAttribute (Order: -2147483598)"]
[13:33:51 DBG] Execution plan of resource filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[13:33:51 DBG] Execution plan of action filters (in the following order): ["Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter (Order: -2147483648)", "Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000)", "ToSec.Presentation.Filters.GlobalActionFilter"]
[13:33:51 DBG] Execution plan of exception filters (in the following order): ["None"]
[13:33:51 DBG] Execution plan of result filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"]
[13:33:51 DBG] Executing controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[13:33:51 DBG] Executed controller factory for controller Monitoring.Controllers.AccountController (ToSec.Presentation)
[13:33:51 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' ...
[13:33:51 DBG] Attempting to bind parameter 'returnUrl' of type 'System.String' using the name 'returnUrl' in request data ...
[13:33:51 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[13:33:51 DBG] Done attempting to bind parameter 'returnUrl' of type 'System.String'.
[13:33:51 DBG] Attempting to validate the bound parameter 'returnUrl' of type 'System.String' ...
[13:33:51 DBG] Done attempting to validate the bound parameter 'returnUrl' of type 'System.String'.
[13:33:51 DBG] Attempting to bind parameter 'remoteError' of type 'System.String' ...
[13:33:51 DBG] Could not find a value in the request with name '' for binding parameter 'remoteError' of type 'System.String'.
[13:33:51 DBG] Done attempting to bind parameter 'remoteError' of type 'System.String'.
[13:33:51 DBG] Done attempting to bind parameter 'remoteError' of type 'System.String'.
[13:33:51 DBG] Attempting to validate the bound parameter 'remoteError' of type 'System.String' ...
[13:33:51 DBG] Done attempting to validate the bound parameter 'remoteError' of type 'System.String'.
[13:33:51 DBG] AuthenticationScheme: Identity.External was not authenticated.

I created a WebApplication sample App for you to reproduce the bug. (Create new project -> ASP.NET Core Web Applikation -> Web Applikation (Model-View-Controller). Authentication: Individual User Accounts (Store user accounts in-app).

In this I only added two things:

  1. The AzureAd config section in appsettings.json.
  2. In Startup.cs I added the two ways to sign-in with Azure:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
    .AddAzureAD(options => Configuration.Bind("AzureAd", options));
//services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
//    .AddSignIn(Configuration, "AzureAd", openIdConnectScheme: AzureADDefaults.AuthenticationScheme);

Try the "traditional" one first. That works. (Don't forget to click on the Migrate database button)
Then comment the traditional way out and try your code. This does not work.

What struck me immediately is that the button for the login with the traditional code is labeled "Azure Active Directory". With your code it is labeled "OpenIdConnect". This although I set the schema to AzureADDefaults.AuthenticationScheme.

The provided sample:
AzureAd_Test_WebApplication.zip

@ManuelHaas thanks for your sample
This is a scenario we are not supporting yet, but we'll add it to the backlog.

@jmprieur This is a pity, the library is then unfortunately useless for me and not only for me I think.
Please add a note to the docs for other users.

@ManuelHaas :
Thanks very much for this heads-up.
We understand your frustration and we'll make Microsoft.Identity.Web work in this scenario before it's used in the default ASP.NET Core templates. Meanwhile, you can still use .AddAzureAD().

Do you want to call downstreams APIs from your web app?

@jmprieur
Yes, that was exactly the reason why I tried to switch to the new library. We have to query AAD user details and therefore Microsoft.Identity.Web outlined a simpler and clearer way than the previously possible.

This makes sense @ManuelHaas : it's super hard to do without code similar to what is in Microsoft.Identity.Web.

I investigated this morning, and don't understand yet why this does not work. but I'll work with the ASP.NET Core team on this.

BTW thanks for raising an issue on the docs.ms page

@jmprieur Thanks for going to ASP.NET Core team with it!

btw. we stumbled upon that aswell, since we wanted to create meetings when logged in via AzureAD.

Hi,
@jmprieur is my understanding correct, that using the built in ASP.NET Identity I will not be able to register and store my users in my database when I use MSAL for authentication?
Sorry for the dumb question, but I also can sign in users, although get: signInManager.GetExternalLoginInfoAsync()=null and in the tutorials there is no scenario to store the users already signed in.

@pmaytak could you take a look at this when you have time (after your current task is done)? thanks.

@schmitch @ManuelHaas @messerke is this still reproducible with the current version (1.2.0)?

Hello, I have a setup where I store identities in the app and use my organizations azure ad to create and log users in. I just recently upgraded to Core 5 and now I am getting an obsolete warning on the current code. services.AddAuthentication(AzureADDefaults.AuthenticationScheme) .AddAzureAD(options => { Configuration.Bind("AzureAd", options); options.CookieSchemeName = IdentityConstants.ExternalScheme; });
So, I tried to replace it with
services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
But with that it no longer works. "GetExternalLoginInfoAsync" seems to return null, and that lead me here.
Should I just keep using the old method and ignore the obsolete message for now or is this supposed to work?
Everything work with the old method; I just don't like the idea of having an expiration date on a crucial part of the app. Not sure when the plug would be pulled on that.

@erik1988 same boat here

@jennyf19 no it still is broken, we sadly still need to use AddAzureAD.

Thanks for the update. we will take a look. @schmitch @erik1988 @khanhvu161188

services.AddMicrosoftIdentityWebAppAuthentication(Configuration); is not granular enough to compose with Identity, you need to go down one layer.

Start with:
services.AddAuthentication().AddMicrosoftIdentityWebApp(...)

Don't set any of the schemes in AddAuthentication, let Identity manage those. AddMicrosoftIdentityWebApp will use the default sign-in scheme which is Identity's external cookie. It should all compose from there.

This is the same pattern used by other external providers:
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/facebook-logins?view=aspnetcore-5.0#configure-facebook-authentication

Sorry, there's a deeper issue here. AddMicrosoftIdentityWebApp adds its own cookie auth provider rather than use the existing one.
https://github.com/AzureAD/microsoft-identity-web/blob/c75ea22dd4cf99ff6fc30c805d3d0cffcbc76879/src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilderExtensions.cs#L238

There will need to be a factored out overload of AddMicrosoftIdentityWebApp that does not add its own cookies.

@schmitch @khanhvu161188 @ManuelHaas @erik1988 do you mind trying this branch, which does offers the possibility of not defining the cookie scheme, if you do something like this:

services.AddAuthentication().AddMicrosoftIdentityWebApp(Configuration, cookieScheme: null);

cc: @jmprieur

@jennyf19 thanks for your PR.

I just tested the scenario and this works fine with your modification when ensuring that the cookieScheme is set to null

dotnet new mvc --auth Individual

Change the ConfigureServices(IServiceCollection services) to add the likes your proposed:

```Shell
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext(options =>
options.UseSqlite(Configuration.GetConnectionString("DefaultConnection")));

services.AddDatabaseDeveloperPageExceptionFilter();

services.AddDefaultIdentity(options => options.SignIn.RequireConfirmedAccount = true)
.AddEntityFrameworkStores();
services.AddControllersWithViews();

services.AddAuthentication()
.AddMicrosoftIdentityWebApp(Configuration, cookieScheme: null);
}
```

And this works! This proposes the OpenIdConnect button, which registers the user.

When the PR is merged, we'd want to document the scenario in the wiki

Included in 1.4 Release.

Thanks!
I found that this works works well:
services.AddAuthentication() .AddMicrosoftIdentityWebApp(Configuration,"AzureAd", "AzureAD", cookieScheme: null);

With the "AzureAD" it will look for the existing entry in "AspNetUserLogins" table, without it you may get some issues as it will try to register the user and then give an error saying that the email already exist.

Hi there, got Login to work now with define cookieScheme: null, but how about Logout method? How you do ? to logout from ad too
EDIT:
Solve Logout from azure too whit this code:

return SignOut(new AuthenticationProperties()
            { RedirectUri = "/Home/Index" },
                   IdentityConstants.ApplicationScheme,
                   OpenIdConnectDefaults.AuthenticationScheme);
Was this page helpful?
0 / 5 - 0 ratings