Check the docs before asking a question: https://abp.io/docs/latest Check the samples to see the basic tasks: https://abp.io/docs/latest/samples The exact solution to your question may have been answered before, and please first use the search on the homepage.
I am attempting to implement two Microsoft Entra accounts for single-sign in. I am using two calls to AddMicrosoftAccount
var authBuilder = context.Services.AddAuthentication();
var tenantUrl = configuration["AzureEntraMembers:MicrosoftLoginUrl"];
tenantUrl = tenantUrl.TrimEnd('/');
authBuilder.AddMicrosoftAccount(PSACAuthenticationSchemes.MembersEntra, options =>
{
options.ClientId = configuration["AzureEntraMembers:ClientId"]!;
options.ClientSecret = configuration["AzureEntraMembers:ClientSecret"]!;
options.CallbackPath = "/signin-microsoft";
options.AuthorizationEndpoint = $"{tenantUrl}/oauth2/v2.0/authorize";
options.TokenEndpoint = $"{tenantUrl}/oauth2/v2.0/token";
options.ClaimActions.MapCustomJson("picture", _ => "https://graph.microsoft.com/v1.0/me/photo/$value");;)
options.SaveTokens = true;
});
var staffTenantUrl = configuration["AzureEntraWorkforce:MicrosoftLoginUrl"];
staffTenantUrl = staffTenantUrl.TrimEnd('/');
authBuilder.AddMicrosoftAccount(PSACAuthenticationSchemes.WorkforceEntra, options =>
{
options.ClientId = configuration["AzureEntraWorkforce:ClientId"]!;
options.ClientSecret = configuration["AzureEntraWorkforce:ClientSecret"]!;
options.CallbackPath = "/signin-microsoft-workforce";
<br>
if (!string.IsNullOrEmpty(staffTenantUrl))
{
options.AuthorizationEndpoint = $"{staffTenantUrl}/oauth2/v2.0/authorize";
options.TokenEndpoint = $"{staffTenantUrl}/oauth2/v2.0/token";
}
options.SaveTokens = true;
});
What happens: it works when I test on localhost, but as soon as I deploy on Azure I get a 404 error when calling /signin-microsoft-workflow. The page displays the error: The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. The weird thing is that my other SSO (callback url: /signin-microsoft) works.
I have verified that my App Registration callbacks are properly configured.
Can you provide me possible causes why I get an error only on /signin-microsoft-workforce callback?
1 Answer(s)
-
0
In ABP Blazor WASM applications, external authentication callback endpoints (like
/signin-microsoft-workforce) must be handled by the backend (API host or AuthServer). A 404 error on Azure for/signin-microsoft-workforceusually means the backend is not configured to recognize or route this path.Common causes and solutions:
- Missing Endpoint Mapping: Ensure your backend (not just the WASM app) is running and is configured to handle
/signin-microsoft-workforce. The endpoint must be registered in the backend's authentication middleware. - Azure App Registration: Double-check that the redirect URI for
/signin-microsoft-workforceis registered in the correct Azure App Registration (for the correct tenant/client). - Reverse Proxy/IIS Configuration: If you are using IIS, Azure App Service, or a reverse proxy, make sure requests to
/signin-microsoft-workforceare forwarded to the backend and not intercepted by the frontend (Blazor WASM) static file handler. - Web.config/Rewrite Rules: If hosting both frontend and backend on the same site, ensure your rewrite rules do not route
/signin-microsoft-workforcetoindex.html(the Blazor app), but instead allow it to reach the backend. - CallbackPath Consistency: The
CallbackPathin your backend authentication configuration must exactly match the path registered in Azure and the one being called by the authentication flow.
- Missing Endpoint Mapping: Ensure your backend (not just the WASM app) is running and is configured to handle
How to check/fix:
- In your backend (API host or AuthServer), confirm you have:
.AddMicrosoftAccount("WorkforceEntra", options => { // ... options.CallbackPath = "/signin-microsoft-workforce"; // ... })- If using IIS or Azure App Service, update your
web.configto exclude/signin-microsoft-workforcefrom being routed to the Blazor app. Example:
<rule name="Exclude Auth Callbacks" stopProcessing="true"> <match url="^signin-microsoft-workforce$" /> <action type="None" /> </rule>Make sure the backend is accessible at the deployed URL and not just locally.
Summary: The 404 is almost always due to routing or middleware configuration on the backend or web server, not the ABP or Microsoft Account provider itself. Ensure the backend is set up to handle the callback and that your server/proxy does not intercept or misroute the request.
No verified source available for this specific query.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
