Open Closed

Setting up Microsoft Azure A/D Login #10620


0
hra created

I'm setting up Azure A/D authentication integation to our AspNetZero Angular/Core application.

After reading this document: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

I found that all I allegedly need to do is enable Microsoft (social) logins - which AspNetZero supports. https://docs.aspnetzero.com/en/aspnet-core-angular/latest/Features-Angular-Social-Logins

I did so, and the "Microsoft" button appears on the tenant login page. Great. However, after using that button to log into my Microsoft account, the AspNetZero page shows an error popup "Could not validate external user login".

I'm guesing there is some step I am missing? But I don't know what it is. Something method I'm supposed to override in the .Net Core code?

The following documentation explains what should happen if an external account is and isn't identified for EXTERNAL authentication - but I'm not sure if that should apply to Microsoft auth as your documentation identifies that as "Social" authentication. https://aspnetboilerplate.com/Pages/Documents/Zero/User-Management

Anyway, the missing knowledge is... I ASSUME that one should only be able to "log in" with a Microsoft account that was used to first CREATE an AspNetZero user account... however, when I visit the tenant "create account" page, there is no "Create with Microsoft" button...

What am I missing?

Thanks,

--- UPDATE --- I've found something in the TokenAuthController ProviderKey comparison which looks likely to be a bug... confirm? Note how the provider key in the UserInfo object differs from the provider key in the Model by only the hypens being stripped (see watch window in screenshot). Bug?

--- UPDATE 2 --- Using the inspector, I updated the ProviderKey to match such that the comparison passes. The next issue is that by the time "UserManager.FindAsync" is called, no tenant id is provided by the code - which means the the query against UserLogin doesnt find the entry that is mapped to a specific tenant. I'm guessing this should have been populated somehow by now? How is the query to find the UserLogin supposed to know which tenant to search under?

--- UPDATE 3 ---

Clearly there are issues here. Status? https://github.com/aspnetzero/aspnet-zero-core/issues/3046

I guess these are the same issues. Broken for almost 2 years? I can get accounts to be created if I tweak the ProviderKey comparison to strip hyphens - however the activate user cannot log in (error "User name XXX is already taken") because the search for the user account is performed with a null tenancyName.


5 Answer(s)
  • 0
    ismcagdas created
    Support Team

    Hi @hra

    Could you share which version of AspNet Zero you are using ? There was a problem with the Microsoft login but it is fixed in the one latest versions.

    For Azure AD login, you can also use OpenID Connect. You just need to enable it in the appsettings.json just like you did for Microsoft login.

    Thanks,

  • 0
    hra created

    Hi @ismcagdas,

    I'm on version 10.0 of Core/Angular.

    Whats the justification for using OpenID Conect vs Microsoft?

  • 0
    ismcagdas created
    Support Team

    Hi @hra

    Sorry for my late reply. For AspNet Zero, Microsoft Login sometimes causes problem with Office 365 Login. OpenID Connect has a wider support range from 3rd parties.

  • 0
    4Matrix created

    I think I have the same issue, I have a multitenant app with unique email addresses for each user. There is no way to select a tenant from the login screen, it gets the tenant id from the username/password entered (Username is synced with Email). I have got a "Login with Azure AD" button but the Azure AD they log into will depend on their email address as each tenant will have their own App registration?

    I basically need microsoft to Authenticate them, then I will need to check that we have a tenant setup for them on our system and that they are in a valid Security Group to allow them to login to their tenancy with the relivant roles. I will need to look at the Client ID and Client Secret sent back as part of the login process to see if it matches up with any tenant in our DB.

    But how do I know which Azure AD url to use if I dont know what the tenant is? From my research it looks as if I should create my own App Registration in our own Azure AD and set it up to 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)' which will allow my requests for authentication to all be passed to the same place. My customers will then need to setup their own App Registration and I will need to store these details against each tenant in my DB so that once they have been authenticated, I can work out which tenant they belong to and check to make sure they are in the right Role/Security Group to be able to access the software?

  • 0
    jeffmh created

    @4Matrix ... One thing you could do is modify the login page to have a pre-step to "enter email address" step. Then click Next. When you click next, you could do the tenant lookup and then do any logic you needed to set the tenant Id, then do the login process with Open ID and Azure AD / show password field, etc. Lots of sites are doing this now in order to know if the user is password user or a 3rd party login user.

    For Azure AD, you def want to use Open ID IMO. I thought the "Microsoft" login was just for personal accounts? Maybe I am wrong about that and you can make it work but I can say for certainty that Open ID works great.

    We are using the multi-tenant Open ID setup with Azure AD using each of the tenants Azure AD setup and it's working out great for us. We also modified the login process to enter email address first so we would know if the user is a password user or an AD user (Think of it like employee login vs customer login). It's slightly different process than you are discussing since I know the tenant based on URL but I think adding an initial step would allow you to use Tenants like you want without having to setup anything in your Azure AD.

    Just a thought. Hope your project is going good!