OpenIdConnect redirection issue #8731

SharmaAtul created 4 months ago

ABP Framework version: v9.0.2
UI Type: MVC
Database System: EF Core (SQL Server)
**Tiered (for MVC) or Auth Server Separated: yes
Exception message and full stack trace: I am back and forward on redirect URL after authenticating with Microsoft Azure AD
Steps to reproduce the issue: I have added my configuration for OpenIdConnect and after that I am facing that issue. Also I am attaching video for reference as well. Video https://jmp.sh/jrphAyUq

These are the logs

2025-01-31 16:46:27.271 +05:30 [INF] Request starting HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - null null 2025-01-31 16:46:27.274 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ResolveRequestUri. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ResolveRequestUri. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+InferEndpointType. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by Volo.Abp.Account.Web.Pages.Account.OpenIddictImpersonateInferEndpointType. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateHostHeader. 2025-01-31 16:46:27.287 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ValidateHostHeader. 2025-01-31 16:46:27.287 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+EvaluateValidatedTokens. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromAuthorizationHeader. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromBodyForm. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromQueryString. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateRequiredTokens. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was marked as rejected by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateRequiredTokens. 2025-01-31 16:46:27.288 +05:30 [DBG] AuthenticationScheme: OpenIddict.Validation.AspNetCore was not authenticated. 2025-01-31 16:46:27.295 +05:30 [INF] Authorization failed. These requirements were not met: PermissionRequirement: AbpIdentity.OrganizationUnits 2025-01-31 16:46:27.296 +05:30 [INF] AuthenticationScheme: OpenIdConnect was challenged. 2025-01-31 16:46:27.300 +05:30 [INF] Request finished HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - 302 null null 29.4896ms

Go to accepted answer

maliming created 4 months ago

Support Team Fullstack Developer

Can you share your host startup module code?

SharmaAtul created 4 months ago

hi

Can you share your host startup module code?

From which project? and from which file?

maliming created 4 months ago

Support Team Fullstack Developer

The NextGen.Portal.Web module.

eg: NextGenPortalWebModule.cs

SharmaAtul created 4 months ago

Do you want to check specific code block ?

Due to character limitation i can not paste whole file code.

maliming created 4 months ago

Support Team Fullstack Developer

You can share it with liming.ma@volosoft.com

SharmaAtul created 4 months ago

liming.ma@volosoft.com

Ok I have sent email on provided email address.

Can you please check and confirm?

maliming created 4 months ago

Support Team Fullstack Developer

I received it. I will check it asap.

SharmaAtul created 4 months ago

hi

I received it. I will check it asap.

This feature is very important for us, So please provide a solution so that we can give demo to our clients.

maliming created 4 months ago

Support Team Fullstack Developer

maliming created 4 months ago

Support Team Fullstack Developer

Can you try to set the SignInScheme of the AddOpenIdConnect to IdentityConstants.ExternalScheme?

private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
{
    //Add authentication using Azure AD
    context.Services.AddAuthentication().AddOpenIdConnect(options =>
    {
        options.ClientId = configuration["Authentication:AzureAd:ClientId"];
        options.ClientSecret = configuration["Authentication:AzureAd:ClientSecret"];
        options.Authority = configuration["Authentication:AzureAd:Authority"];
        options.CallbackPath = configuration["Authentication:AzureAd:CallbackPath"];
        options.ResponseType = OpenIdConnectResponseType.Code;
        options.SaveTokens = true;
        options.Scope.Clear();
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        options.Scope.Add("email");
        //options.Scope.Add("offline_access");


        options.SignInScheme = IdentityConstants.ExternalScheme;

        options.Events = new OpenIdConnectEvents
        {
            OnTokenValidated = context =>
            {
                // Log token claims
                var claims = context.Principal.Claims;
                foreach (var claim in claims)
                {
                    Console.WriteLine($"{claim.Type}: {claim.Value}");
                }
                return Task.CompletedTask;
            },
            OnAuthenticationFailed = context =>
            {
                Console.WriteLine($"Authentication failed: {context.Exception.Message}");
                return Task.CompletedTask;
            }
        };
    });

    context.Services.ForwardIdentityAuthenticationForBearer(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme);
    context.Services.Configure<AbpClaimsPrincipalFactoryOptions>(options =>
    {
        options.IsDynamicClaimsEnabled = true;
    });
}

SharmaAtul created 4 months ago

Can you try to set the SignInScheme of the AddOpenIdConnect to IdentityConstants.ExternalScheme?

private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration) 
{ 
    //Add authentication using Azure AD 
    context.Services.AddAuthentication().AddOpenIdConnect(options => 
    { 
        options.ClientId = configuration["Authentication:AzureAd:ClientId"]; 
        options.ClientSecret = configuration["Authentication:AzureAd:ClientSecret"]; 
        options.Authority = configuration["Authentication:AzureAd:Authority"]; 
        options.CallbackPath = configuration["Authentication:AzureAd:CallbackPath"]; 
        options.ResponseType = OpenIdConnectResponseType.Code; 
        options.SaveTokens = true; 
        options.Scope.Clear(); 
        options.Scope.Add("openid"); 
        options.Scope.Add("profile"); 
        options.Scope.Add("email"); 
        //options.Scope.Add("offline_access"); 
 
 
        options.SignInScheme = IdentityConstants.ExternalScheme; 
 
        options.Events = new OpenIdConnectEvents 
        { 
            OnTokenValidated = context => 
            { 
                // Log token claims 
                var claims = context.Principal.Claims; 
                foreach (var claim in claims) 
                { 
                    Console.WriteLine($"{claim.Type}: {claim.Value}"); 
                } 
                return Task.CompletedTask; 
            }, 
            OnAuthenticationFailed = context => 
            { 
                Console.WriteLine($"Authentication failed: {context.Exception.Message}"); 
                return Task.CompletedTask; 
            } 
        }; 
    }); 
 
    context.Services.ForwardIdentityAuthenticationForBearer(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme); 
    context.Services.Configure<AbpClaimsPrincipalFactoryOptions>(options => 
    { 
        options.IsDynamicClaimsEnabled = true; 
    }); 
}

Ok let me check and try.

SharmaAtul created 4 months ago

I am adding logs here after applying the changes Also, I trying user which is not exist in my database. So as per my understanding when I authenticated from Azure AD then User Registration screen needs to appear to create a user in my local database.

2025-02-03 14:59:36.788 +05:30 [INF] AuthenticationScheme: OpenIdConnect was challenged. 2025-02-03 14:59:36.794 +05:30 [INF] Request finished HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - 302 null null 40.0161ms 2025-02-03 14:59:38.505 +05:30 [INF] Request starting HTTP/2 POST https://localhost:44362/signin-oidc - application/x-www-form-urlencoded 2229 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ResolveRequestUri. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ResolveRequestUri. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+InferEndpointType. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by Volo.Abp.Account.Web.Pages.Account.OpenIddictImpersonateInferEndpointType. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateHostHeader. 2025-02-03 14:59:38.935 +05:30 [INF] AuthenticationScheme: Identity.External signed in. 2025-02-03 14:59:38.937 +05:30 [INF] Request finished HTTP/2 POST https://localhost:44362/signin-oidc - 302 null null 432.7245ms 2025-02-03 14:59:38.971 +05:30 [INF] Request starting HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - null null 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ResolveRequestUri. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ResolveRequestUri. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+InferEndpointType. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by Volo.Abp.Account.Web.Pages.Account.OpenIddictImpersonateInferEndpointType. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateHostHeader. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ValidateHostHeader. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+EvaluateValidatedTokens. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromAuthorizationHeader. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromBodyForm. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromQueryString. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateRequiredTokens. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was marked as rejected by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateRequiredTokens. 2025-02-03 14:59:38.980 +05:30 [DBG] AuthenticationScheme: OpenIddict.Validation.AspNetCore was not authenticated. 2025-02-03 14:59:38.984 +05:30 [INF] Authorization failed. These requirements were not met: PermissionRequirement: AbpIdentity.OrganizationUnits 2025-02-03 14:59:38.984 +05:30 [INF] AuthenticationScheme: OpenIdConnect was challenged. 2025-02-03 14:59:38.986 +05:30 [INF] Request finished HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - 302 null null 14.988ms

maliming created 4 months ago

Support Team Fullstack Developer

How did you invoke the Challenge method of oidc?

var provider = "oidc";
var redirectUrl = "Account/Login?handler=ExternalLoginCallback";
var properties = SignInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
properties.Items["scheme"] = provider;
return Challenge(properties, provider);

SharmaAtul created 4 months ago

No, I am using default code provided by template.

maliming created 4 months ago

Support Team Fullstack Developer

No, I am using default code provided by template.

Please share the code.

Thanks.

SharmaAtul created 4 months ago

From which file I need to share the code?

maliming created 4 months ago

Support Team Fullstack Developer

You are not changing the DefaultChallengeScheme and DefaultScheme now.

options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

The login/register page should have a new external login option(Microsoft Azure AD).

You can click it to sign in with Microsoft Azure AD.