[Bug] Signing in users breaks when using backchannel proxy
See original GitHub issueWhich version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. 0.3.1-preview
Where is the issue?
- Web app
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
- Other (please describe)
Is this a new or an existing app?
a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.
Repro
I have a public repro which is mainly a new project created with dotnet new mvc2 -singleauth
template, then modified to handle Cloud Foundry variable parsing to obtain proxy information, and create the back channel proxy. Relevant code for Proxy is below. – repro here
I am not sure why, but simply changing back to .AddAzureAD
, changing options to OpenIdConnectOptions
, and no other changes, the back channel communication works properly.
public void PostConfigure(string name, MicrosoftIdentityOptions options)
{
Log.Debug("Starting PostConfigure");
var proxyURI = VCAPHelper.GetSquidUri();
Log.Debug("Setting Proxy URI to {Proxy}", proxyURI);
if (!string.IsNullOrEmpty(proxyURI))
{
var webProxy = new WebProxy()
{
Address = new Uri($"http://{VCAPHelper.GetSquidHost()}:{VCAPHelper.GetSquidPort()}"),
BypassProxyOnLocal = true,
UseDefaultCredentials = false,
Credentials = new NetworkCredential(VCAPHelper.GetSquidUsername(), VCAPHelper.GetSquidPassword())
};
var httpClientHandler = new HttpClientHandler()
{
Proxy = webProxy,
UseDefaultCredentials = true,
UseProxy = true
};
options.Backchannel = new HttpClient(httpClientHandler, true);
}
Expected behavior I would expect back channel behavior to work normally when access through a proxy is required to access metadata at login.microsoft.com.
Actual behavior Receive an error below presumably due to some communication on the back channel not working through the proxy.
IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/common/discovery/instance?authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize&api-version=1.1'.
Additional context / logs / screenshots There was an issue open under aspnetcore last year where I got the AzureAD piece working, that issue is https://github.com/dotnet/aspnetcore/issues/20000, for reference.
Issue Analytics
- State:
- Created 3 years ago
- Comments:22 (1 by maintainers)
Top GitHub Comments
I’d suggest using the same pattern as AspNet, injecting
IOptions<AadIssuerValidatorOptions>
so the developer can do something like this in startup:@jennyf19 : moving this to an enhancement as @Tratcher provided more context about what needs to be done. @Tratcher : would inject an IHttpClient be a god solution? It might be worth a quick sync to be sure we are not iterating towards the solution 😃