Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add multiple AAD authentication options using AddMicrosoftIdentityWebAppAuthentication not possible

See original GitHub issue

Which version of Microsoft Identity Web are you using? Microsoft Identity Web 1.6.0

Where is the issue?

Web app
- Sign-in users
- Sign-in users and call web APIs
Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
Other (please describe)

I have an app which needs to support authentication using multiple AAD’s, but if I try to call AddMicrosoftIdentityWebAppAuthentication multiple times it seams that only the last one takes affect, but I get a “Unable to unprotect the message.State” exception although I’ve set different CallbackPath.

Is there an other way to do this?

  "azuread1": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "azuread1.onmicrosoft.com",
    "TenantId": "xxxxx",
    "ClientId": "xxxxxx",
    "ClientSecret": "xxxxx",
    "CallbackPath": "/signin-oidc/azuread1",
    "SignedOutCallbackPath": "/signout-callback-oidc"
  },
 "azuread2": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "azuread2.onmicrosoft.com",
    "TenantId": "yyyyy",
    "ClientId": "yyyyy",
    "ClientSecret": "yyyyy",
    "CallbackPath": "/signin-oidc/azuread2",
    "SignedOutCallbackPath": "/signout-callback-oidc"
  },

services.AddMicrosoftIdentityWebAppAuthentication(configuration: Configuration,
                                                              configSectionName: "azuread1",
                                                              openIdConnectScheme: "azuread1",
                                                              cookieScheme: null);

 services.AddMicrosoftIdentityWebAppAuthentication(configuration: Configuration,
                                                              configSectionName: "azuread2",
                                                              openIdConnectScheme: "azuread2",
                                                              cookieScheme: null);

If I try to logging using azuread1 it will say the user dows not exist in azuread2.onmicrosoft.com, while if I log in using azuread2 I get an “Unable to unprotect the message.State” exception.

Issue Analytics

State:
Created 3 years ago
Comments:24

Top GitHub Comments

1reaction

sven5commented, Jul 9, 2021

Ok, now I’ve found my mistake. The important thing is passing the value of null to the cookieScheme parameter and setting Cookie Authentication as default.

1reaction

wmmihaacommented, Jul 8, 2021

Hi Sven, Yes it works for me. We’re using v 1.14.0 (Microsoft.Identity.Web & Microsoft.Identity.Web.UI):

Startup.cs - ConfigureServices

foreach (var section in Configuration.GetSection("azureAd").GetChildren())
{
    services.AddAuthentication()
    .AddMicrosoftIdentityWebApp(section, section.Key, null);
}

appsettings.json

  "azureAd": {
    "AAD1": {
      "Instance": "XXX",
      "Domain": "XXX",
      "TenantId": "XXX",
      "ClientId": "XXX",
      "CallbackPath": "/signin-oidc/aad1"
    },
    "AAD2": {
      "Instance": "https://login.microsoftonline.com/",
      "Domain": "XXX",
      "TenantId": "XXX",
      "ClientId": "XXX",
      "ClientSecret": "XXX",
      "CallbackPath": "/signin-oidc/aad2"
    }
  }

HTH