Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] IsAppServicesAadAuthenticationEnabled not working with new App Service Authentication flow
See original GitHub issueWhich version of Microsoft Identity Web are you using? Microsoft Identity Web 1.9.1 with ASP.NET 5.0
Where is the issue?
- Web app
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
- Other (please describe) Identity provider detection
Is this a new or an existing app? Existing App using Azure App Service and Easy auth. Switched from Authentication (classic) to the new Authentication experience.
Repro
Use the following in the Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
...
}
public void Configure(IApplicationBuilder app)
{
...
app.UseAuthentication();
app.UseAuthorization();
...
}
Push it to an App Service with the new Authentication experience enabled using AAD. Then try to call the API, you will get an exception saying that you need to provide the ClientId and etc. These values were not needed before the switch to the new experience.
Expected behavior The library should detect that App Service’s Authentication is enabled and not ask for “AzureAd” configuration section.
Actual behavior
The ASP.NET 5.0 server throws:
[Error] Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware: An exception was thrown attempting to execute the error handler.Microsoft.Extensions.Options.OptionsValidationException: IDW10106: The 'ClientId' option must be provided.at
It should not.
Possible solution In AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled, there is 2 conditions to be met. The first one is still valid when using the new Authentication experience. However, the second one, the string needs to match the variable"AppServicesAuthAzureActiveDirectory" value which is “AzureActiveDirectory”. However, using the new experience, the environment variable value is “azureactivedirectory”. Since the equal is case-sensitive, it does not work.
Additional context / logs / screenshots
When using classic experience:
When using the new experience:
Issue Analytics
- State:
- Created 2 years ago
- Comments:7
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
We need to have a look at the EasyAuth experience. I’d think we’d want to look for “aad” as well 😦
Thanks @B742 for the heads-up … yes … this completely breaks the “contract”, therefore adding this as a P1 bug (the feature won’t work) @jennyf19 : we need to do insensitive comparisons of the environment variables … apparently Easy auth changed the values;
Those are the line for which we want to do an insensitive string comparison:
https://github.com/AzureAD/microsoft-identity-web/blob/b93c67676f8755f5a9c692aeb77686fc1757e3aa/src/Microsoft.Identity.Web/AppServicesAuth/AppServicesAuthenticationInformation.cs#L39-L40
Thanks @navyasric for looking at this issue.