IsAuthenticated is false when moved to the IIS server with Azure AD .Net Core 2.1
sandillio opened this issue · comments
Is this a Bug or Feature request?:
Steps to reproduce (preferably a link to a GitHub repo with a repro project):
Description of the problem:
Version of Microsoft.AspNetCore.Mvc or Microsoft.AspNetCore.App or Microsoft.AspNetCore.All:
Works perfectly on my local machine but when moved to server it returns false.
My Configure Services method looks like this
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
{
options.MetadataAddress = "MetaDataAddress";
options.Wtrealm = "WtRealm";
options.Wreply = "https://mydomain/AzureADDemo/Home/Status";
options.SaveTokens = true;
}).AddCookie(
options =>
{
options.Cookie.Name = ".AspNet.SharedCookie";
options.LoginPath = "/AzureADDemo/Home/Signin";
options.Cookie.Path = "/AzureADDemo";
options.Cookie.Expiration = TimeSpan.FromMinutes(20);
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
options.Cookie.SameSite = SameSiteMode.None;
});
services.AddMvc();
}
And my Configure Method looks like this
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
app.UseCors(policy => policy.SetIsOriginAllowed(origin => origin ==
"https://login.microsoftonline.com"));
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
Thanks for contacting us, @sandillio.
@javiercn, can you please look into this? Thanks!
@Tratcher I believe this is all yours
Can you share a Fiddler trace of the scenario?
Where are you calling IsAuthenticated?
@Tratcher This is how I am signing in
var redirectUrl = Url.Action(nameof(HomeController.Status), "Home");
return Challenge(new AuthenticationProperties { RedirectUri = redirectUrl }, WsFederationDefaults.AuthenticationScheme);
And then in Status I am checking for IsAuthenticated which coming as False
Please upload the fiddler trace file rather than a screenshot. You can send it to the e-mail in my profile if you don't want it to be public.
I expect your problem is with the Wreply option, that shouldn't point to a page in your app, but to a url handled directly by the middleware.. Use CallbackPath instead of wreply.
@mkArtakMSFT feel free to transfer this to the Security repo.
Confirmed, your Wreply is wrong. Use CallbackPath instead as described in the doc above.
@Tratcher So I have removed Wreply and added callback path but now I am getting the error saying the reply URL is not matching.
.AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
{
options.MetadataAddress = "MetaDataAddress";
options.Wtrealm = "WtRealm";
options.CallbackPath = "/Home/Status";
options.SaveTokens = true;
}
CallbackPath should not reference a page in your app, it should be a dedicated endpoint like the default value "/signin-wsfed". The auth middleware will handle requests to this path.
@Tratcher So I have changed my CallBackPath = "/AzureADDemo", my Reply Urls in AzureAD as "https://mydomain/AzureADDemo" since this is the endpoint referring to Wreply and I still get reply url not matching error. Please correct me as I am going wrong and having difficulty understanding this ADD.
and I still get reply url not matching error.
What's the exact error and where do you get it? That doesn't sound like an ASP.NET error, is it coming from AAD?
You're going to need to work that out with AAD. The only advice I can give is that you need to be very careful of the value, AAD has been known to require exact matches, even case sensitive.
Thanks @Tratcher.
Closing this as there is no more action to be taken here from our side.
@Tratcher Sorry for posting late, but got it working. my solution is, I change the reply url in Azure to be as http://mydomain/yourappname/signin-wsfed and my configureServices method to be as below.
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
}) .AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
{
options.MetadataAddress = "MetaDataAddress";
options.Wtrealm = "WtRealm";
options.SaveTokens = true;
}).AddCookie(
options =>
{
options.Cookie.Name = ".AspNet.SharedCookie";
options.LoginPath = "/signin-wsfed";
options.Cookie.Expiration = TimeSpan.FromMinutes(20);
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
options.Cookie.SameSite = SameSiteMode.None;
});
services.AddMvc();
}
Remove options.LoginPath = "/signin-wsfed";, it doesn't belong there. LoginPath won't be used unless someone calls Challenge on Cookies rather than WsFed.