Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] Reply address does not match the reply address provided when requesting authorization
See original GitHub issueWhich version of Microsoft Identity Web are you using? Microsoft Identity Web 0.2.3-preview
Where is the issue?
- Web app
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
- Other (please describe)
Is this a new or an existing app? a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.
Repro I’m getting frustrated by an error which occurs on a .netcore3.1 app I’m working on. Here’s my setup:
In Startup.cs
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftWebApp(options =>
{
Configuration.Bind("AzureAd", options);
options.Events ??= new OpenIdConnectEvents();
options.Events.OnRedirectToIdentityProvider = async ctx =>
{
ctx.ProtocolMessage.RedirectUri = Configuration["AzureAd:RedirectUri"];
await Task.CompletedTask;
};
})
.AddMicrosoftWebAppCallsWebApi(Configuration, new[] { "user.read" })
.AddDistributedTokenCaches();
In my appsettings
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "ClientId",
"TenantId": "TenantId",
"RedirectUri": "https://mywebsite.com/signin-oidc",
"ClientSecret": "ClientSecret"
},
the azure app registration is configured correctly with https://mywebsite.com/signin-oidc as the redirect url. I’ve also added the following to allow headers to be forwarded from the proxy:
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
// then in the Configure method
app.UseForwardedHeaders();
Yet I’m still getting this error which is baffling me. I thought by adding
ctx.ProtocolMessage.RedirectUri = Configuration["AzureAd:RedirectUri"];
I would overcome this but it seems to have no impact. I’ve checked the authorise request url in the browser and the redirect_uri parameter is set correctly to https://mywebsite.com/signin-oidc
Yet still I’m getting this error in my logs:
An unhandled exception occurred","Properties":{"CorrelationId":"c3393560-6ebe-41ce-99fc-693c1a387474","Path":"/signin-oidc","Method":"POST","exceptionMessage":"An error was encountered while handling the remote login.","exception":"System.Exception: An error was encountered while handling the remote login.\n ---> MSAL.NetCore.4.16.1.0.MsalServiceException: \n\tErrorCode: invalid_client\nMicrosoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS500112: The reply address 'http://mywebsite.com/signin-oidc' does not match the reply address 'https://mywebsite.com/signin-oidc' provided when requesting Authorization
Any help would be very much appreciated
Thanks!
Issue Analytics
- State:
- Created 3 years ago
- Comments:9
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@mia01 https redirection is the way to go. The workaround you’ve show should only be applied in https reverse proxy scenarios, not to requests that are really http.
HTTPS redirection is covered here: https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-3.1&tabs=visual-studio
Some follow-up info in case it might help someone. We had a reverse proxy which was terminating the ssl. Our development environment was forwarding the https scheme but the production environment wasn’t which caused additional confusion. Once I had updated the production environment and made sure we were forwarding the scheme and also made sure https redirection was in place this issue disappeared and I no longer had to use this:
Nor did I need to manually set the redirect like this:
All I needed was the section which told the app to use forwarded headers: