Learn More, Pay Less!
Limited Time Offer!
Open Closed

OpenIdConnect redirection issue #8731


User avatar
0
SharmaAtul created
  • ABP Framework version: v9.0.2
  • UI Type: MVC
  • Database System: EF Core (SQL Server)
  • **Tiered (for MVC) or Auth Server Separated: yes
  • Exception message and full stack trace: I am back and forward on redirect URL after authenticating with Microsoft Azure AD
  • Steps to reproduce the issue: I have added my configuration for OpenIdConnect and after that I am facing that issue. Also I am attaching video for reference as well. Video https://jmp.sh/jrphAyUq

These are the logs

2025-01-31 16:46:27.271 +05:30 [INF] Request starting HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - null null 2025-01-31 16:46:27.274 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ResolveRequestUri. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ResolveRequestUri. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+InferEndpointType. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by Volo.Abp.Account.Web.Pages.Account.OpenIddictImpersonateInferEndpointType. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. 2025-01-31 16:46:27.275 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateHostHeader. 2025-01-31 16:46:27.287 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ValidateHostHeader. 2025-01-31 16:46:27.287 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+EvaluateValidatedTokens. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromAuthorizationHeader. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromBodyForm. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromQueryString. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateRequiredTokens. 2025-01-31 16:46:27.288 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was marked as rejected by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateRequiredTokens. 2025-01-31 16:46:27.288 +05:30 [DBG] AuthenticationScheme: OpenIddict.Validation.AspNetCore was not authenticated. 2025-01-31 16:46:27.295 +05:30 [INF] Authorization failed. These requirements were not met: PermissionRequirement: AbpIdentity.OrganizationUnits 2025-01-31 16:46:27.296 +05:30 [INF] AuthenticationScheme: OpenIdConnect was challenged. 2025-01-31 16:46:27.300 +05:30 [INF] Request finished HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - 302 null null 29.4896ms


115 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you share your host startup module code?

  • User Avatar
    0
    SharmaAtul created

    hi

    Can you share your host startup module code?

    From which project? and from which file?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The NextGen.Portal.Web module.

    eg: NextGenPortalWebModule.cs

  • User Avatar
    0
    SharmaAtul created

    Do you want to check specific code block ?

    Due to character limitation i can not paste whole file code.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can share it with liming.ma@volosoft.com

  • User Avatar
    0
    SharmaAtul created

    liming.ma@volosoft.com

    Ok I have sent email on provided email address.

    Can you please check and confirm?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I received it. I will check it asap.

  • User Avatar
    0
    SharmaAtul created

    hi

    I received it. I will check it asap.

    This feature is very important for us, So please provide a solution so that we can give demo to our clients.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    ok

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you try to set the SignInScheme of the AddOpenIdConnect to IdentityConstants.ExternalScheme?

    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
    {
        //Add authentication using Azure AD
        context.Services.AddAuthentication().AddOpenIdConnect(options =>
        {
            options.ClientId = configuration["Authentication:AzureAd:ClientId"];
            options.ClientSecret = configuration["Authentication:AzureAd:ClientSecret"];
            options.Authority = configuration["Authentication:AzureAd:Authority"];
            options.CallbackPath = configuration["Authentication:AzureAd:CallbackPath"];
            options.ResponseType = OpenIdConnectResponseType.Code;
            options.SaveTokens = true;
            options.Scope.Clear();
            options.Scope.Add("openid");
            options.Scope.Add("profile");
            options.Scope.Add("email");
            //options.Scope.Add("offline_access");
    
    
            options.SignInScheme = IdentityConstants.ExternalScheme;
    
            options.Events = new OpenIdConnectEvents
            {
                OnTokenValidated = context =>
                {
                    // Log token claims
                    var claims = context.Principal.Claims;
                    foreach (var claim in claims)
                    {
                        Console.WriteLine($"{claim.Type}: {claim.Value}");
                    }
                    return Task.CompletedTask;
                },
                OnAuthenticationFailed = context =>
                {
                    Console.WriteLine($"Authentication failed: {context.Exception.Message}");
                    return Task.CompletedTask;
                }
            };
        });
    
        context.Services.ForwardIdentityAuthenticationForBearer(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme);
        context.Services.Configure<AbpClaimsPrincipalFactoryOptions>(options =>
        {
            options.IsDynamicClaimsEnabled = true;
        });
    }
    
  • User Avatar
    0
    SharmaAtul created

    hi

    Can you try to set the SignInScheme of the AddOpenIdConnect to IdentityConstants.ExternalScheme?

    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration) 
    { 
        //Add authentication using Azure AD 
        context.Services.AddAuthentication().AddOpenIdConnect(options => 
        { 
            options.ClientId = configuration["Authentication:AzureAd:ClientId"]; 
            options.ClientSecret = configuration["Authentication:AzureAd:ClientSecret"]; 
            options.Authority = configuration["Authentication:AzureAd:Authority"]; 
            options.CallbackPath = configuration["Authentication:AzureAd:CallbackPath"]; 
            options.ResponseType = OpenIdConnectResponseType.Code; 
            options.SaveTokens = true; 
            options.Scope.Clear(); 
            options.Scope.Add("openid"); 
            options.Scope.Add("profile"); 
            options.Scope.Add("email"); 
            //options.Scope.Add("offline_access"); 
     
     
            options.SignInScheme = IdentityConstants.ExternalScheme; 
     
            options.Events = new OpenIdConnectEvents 
            { 
                OnTokenValidated = context => 
                { 
                    // Log token claims 
                    var claims = context.Principal.Claims; 
                    foreach (var claim in claims) 
                    { 
                        Console.WriteLine($"{claim.Type}: {claim.Value}"); 
                    } 
                    return Task.CompletedTask; 
                }, 
                OnAuthenticationFailed = context => 
                { 
                    Console.WriteLine($"Authentication failed: {context.Exception.Message}"); 
                    return Task.CompletedTask; 
                } 
            }; 
        }); 
     
        context.Services.ForwardIdentityAuthenticationForBearer(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme); 
        context.Services.Configure<AbpClaimsPrincipalFactoryOptions>(options => 
        { 
            options.IsDynamicClaimsEnabled = true; 
        }); 
    } 
    

    Ok let me check and try.

  • User Avatar
    0
    SharmaAtul created

    I am adding logs here after applying the changes Also, I trying user which is not exist in my database. So as per my understanding when I authenticated from Azure AD then User Registration screen needs to appear to create a user in my local database.

    2025-02-03 14:59:36.788 +05:30 [INF] AuthenticationScheme: OpenIdConnect was challenged. 2025-02-03 14:59:36.794 +05:30 [INF] Request finished HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - 302 null null 40.0161ms 2025-02-03 14:59:38.505 +05:30 [INF] Request starting HTTP/2 POST https://localhost:44362/signin-oidc - application/x-www-form-urlencoded 2229 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ResolveRequestUri. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ResolveRequestUri. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+InferEndpointType. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by Volo.Abp.Account.Web.Pages.Account.OpenIddictImpersonateInferEndpointType. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. 2025-02-03 14:59:38.516 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateHostHeader. 2025-02-03 14:59:38.935 +05:30 [INF] AuthenticationScheme: Identity.External signed in. 2025-02-03 14:59:38.937 +05:30 [INF] Request finished HTTP/2 POST https://localhost:44362/signin-oidc - 302 null null 432.7245ms 2025-02-03 14:59:38.971 +05:30 [INF] Request starting HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - null null 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ResolveRequestUri. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ResolveRequestUri. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+InferEndpointType. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by Volo.Abp.Account.Web.Pages.Account.OpenIddictImpersonateInferEndpointType. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. 2025-02-03 14:59:38.976 +05:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateHostHeader. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ValidateHostHeader. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+EvaluateValidatedTokens. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromAuthorizationHeader. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromBodyForm. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromQueryString. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateRequiredTokens. 2025-02-03 14:59:38.980 +05:30 [DBG] The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was marked as rejected by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateRequiredTokens. 2025-02-03 14:59:38.980 +05:30 [DBG] AuthenticationScheme: OpenIddict.Validation.AspNetCore was not authenticated. 2025-02-03 14:59:38.984 +05:30 [INF] Authorization failed. These requirements were not met: PermissionRequirement: AbpIdentity.OrganizationUnits 2025-02-03 14:59:38.984 +05:30 [INF] AuthenticationScheme: OpenIdConnect was challenged. 2025-02-03 14:59:38.986 +05:30 [INF] Request finished HTTP/2 GET https://localhost:44362/Identity/OrganizationUnits - 302 null null 14.988ms

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    How did you invoke the Challenge method of oidc?

    var provider = "oidc";
    var redirectUrl = "Account/Login?handler=ExternalLoginCallback";
    var properties = SignInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
    properties.Items["scheme"] = provider;
    return Challenge(properties, provider);
    
  • User Avatar
    0
    SharmaAtul created

    No, I am using default code provided by template.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    No, I am using default code provided by template.

    Please share the code.

    Thanks.

  • User Avatar
    0
    SharmaAtul created

    From which file I need to share the code?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You are not changing the DefaultChallengeScheme and DefaultScheme now.

    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    

    The login/register page should have a new external login option(Microsoft Azure AD).

    You can click it to sign in with Microsoft Azure AD.

    https://abp.io/docs/latest/modules/account-pro#manage-external-logins

  • User Avatar
    0
    SharmaAtul created

    But it is already set

  • User Avatar
    0
    SharmaAtul created

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Do not change the DefaultChallengeScheme and DefaultScheme

    Add your Microsoft Azure AD as a new external login provider.

    https://abp.io/support/questions/8731/OpenIdConnect-redirection-issue#answer-3a17dd15-9114-1a35-38c6-6175b1248df7

  • User Avatar
    0
    SharmaAtul created

    like this way

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    yes, can you check the login/register page?

  • User Avatar
    0
    SharmaAtul created

    No it is not showing for me

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you share your project?

    liming.ma@volosoft.com

    I will download and check your code.

    Thanks.

  • User Avatar
    0
    SharmaAtul created

    Ok I will share with given email address.

Made with ❤️ on ABP v9.2.0-preview. Updated on February 13, 2025, 10:35