Open Closed

Problems with integration of Entra External ID #7501


User avatar
0
okains created
  • ABP Framework version: v8.2
  • UI Type: Blazor Web App
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

Hi,

I am attempting to integrate Entra External ID. This is for an existing Blazor Web App (8.2) tiered project, however I have created a brand new non-tiered project in order to work through the Auth integration. Then I will apply to the existing tiered project.

I have 2 issues, the first and most strange being that as soon as I add the configuration section using Microsoft.Identity.WebApp that allows me to initiate the Entra flow I can not log in using the built in admin credentials.

This is the clean solution, no config for Entra, Admin login working fine:

After adding the config to allow for Entra Login:

I now get the OpenIdConnect button:

However, if I try to log in with the basic admin credentials:

It redirects back , pauses for 2-3 seconds with an ‘ Authorizing’ message, then I get this UI which is not what I would expect after logging in as Admin. No Administration menu, no access to the ‘RockStars’ entity I generated as a test case:

When I click the Logout Button noted above I get back to the Login UI noted above, when I click the OpenIdConnect button I get an invalid OAuth State Error. This is what I get every time I redirect back to <abp>/signin-oidc. Would appreciate it if you could check my config screenshotted above and let me know if there is something missing / wrong that would cause this error:

Main concern is that as soon as I add the external Entra login support I can't seem to log in as normal with the built in admin account. I need to support Entra External ID in all of my future projects so this is critical for my business going forward.

This is a brand new solution that I generated yesterday to debug these issues. I can share this with you on GitHub in order to troubleshoot.

Please let me know if you need any more info.

Thanks,

Karim


15 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please try to change context.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApp(... to context.Services.AddAuthentication().AddMicrosoftIdentityWebApp(...

  • User Avatar
    0
    okains created

    Hi, ok that worked , I can now log in as normal with the admin account. However still getting the OAUTH error on the redirect. Can you take a look at the config settings I provided and let me know if there is anything I am doing wrong that would lead to this error :

    Thanks,

    Karim

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Ensure the CallbackPath is the same as your Client configuration. Check it on your oauth2 website.

  • User Avatar
    0
    okains created

    I think the callback path is OK, you can see here:

    I previously added a personal Microsoft account configuration that worked with this redirect URL, everything worked as expected, I could register a new user and / or login with an existing account:

    So I don't think it is the Callback path in this case, but maybe something else in the config that is causing ABP to throw this error. I know how OpenId config can be tricky, hopefully we can figure out what is the root cause here.

    Thanks,

    Karim

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you test your configuration in a new asp net core app instead of abp template?

    or can you share the configuration? Then I will try to reproduce it locally.

    liming.ma@volosoft.com

  • User Avatar
    0
    okains created

    Hi,

    I have this in a barebones single tiered brand new 8.2 project. We also have a React client that is using the same configuration and it is working OK there, so just our ABP config is wrong.

    The repo is private, at https://github.com/Flo3Digital/Flo3BlazorDevSingle/ , I have granted you write access. Could you take a look there and see if there is anything you can see that is misconfigured?

    Thanks,

    Karimi

  • User Avatar
    0
    okains created

    Just FYI, my end goal here is to completely bypass the ABP Login / Register UI and just use Entra. I have been looking at this support ticket that you were also involved with that seems to have a lot of the problems already solved :

    https://support.abp.io/QA/Questions/5928/How-to-assign-roles-to-Azure-AD-B2C-users

    So I think if we can get through this initial configuration I will follow the steps in the above ticket to get to where I want to go.

    Understanding that this could be a bit of a tricky implementation, maybe I can write up a Community Article once I get through this. I think many commercial users will want to auth with Entra solely, it is a very appealing use case.

    Karim

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I will check your GitHub repos.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you share a test user? Thanks

  • User Avatar
    0
    okains created

    Hi, yes you can use this user:

    abpsupport@gmail.com Notu801201

    Or just create an account, everything including the AD Tenant is just for testing / debugging purposes and will be deleted once the problem is resolve.

    Thanks,

    Karim

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please test this commit

    https://github.com/Flo3Digital/Flo3BlazorDevSingle/commit/2df5d2e7546175eb22481cd774d8ac5d8652ae85

    Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    I will make it compatible with AddMicrosoftAccount in the next version.

  • User Avatar
    0
    okains created

    Hi, yes this seems to be working now, I was able to Auth and the redirect worked and took me to the Register UI on ABP, which is what I would expect:

    Can you summarize the fix / changes so I understand what I was doing wrong?

    Thanks!

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    There is a conflict between WithDynamicOptions and AddMicrosoftIdentityWebApp; I will handle it in the next version.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The problem is the options.CallbackPath = "/signin-oidc";

    You can remove it and try again.

    https://github.com/Flo3Digital/Flo3BlazorDevSingle/commit/fcf6281c3b09d4e58487213e35b5b07635a3aacd

Made with ❤️ on ABP v9.0.0-preview. Updated on October 07, 2024, 08:52