Hi, we are developing onto Core+Angular solution (v.6.9.0) and we configured it to login against an O365 Tenant following some suggestions found on this support portal. Btw, when Azure callback our app, following exception has been raised:
IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) in C:\agent2\_work\56\s\src\Microsoft.IdentityModel.Tokens\Validators.cs:line 172
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) in C:\agent2\_work\56\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 737
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in C:\agent2\_work\56\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line 719
at Abp.AspNetZeroCore.Web.Authentication.External.WsFederation.WsFederationAuthProviderApi.ValidateToken(String token, String issuer, IConfigurationManager`1 configurationManager, CancellationToken ct)
at Abp.AspNetZeroCore.Web.Authentication.External.WsFederation.WsFederationAuthProviderApi.GetUserInfo(String token)
at SmartPortal.Web.Controllers.TokenAuthController.GetExternalUserInfo(ExternalAuthenticateModel model) in /Users/fncap/Dev/GIT/SmartPortal Project/SmartPortal/aspnet-core/src/SmartPortal.Web.Core/Controllers/TokenAuthController.cs:line 455
at SmartPortal.Web.Controllers.TokenAuthController.ExternalAuthenticate(ExternalAuthenticateModel model) in /Users/fncap/Dev/GIT/SmartPortal Project/SmartPortal/aspnet-core/src/SmartPortal.Web.Core/Controllers/TokenAuthController.cs:line 330
at lambda_method(Closure , Object )
at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextExceptionFilterAsync()
Any Suggestion?
2 Answer(s)
-
1
After some tries and research in ANZ code, I found a solution.
Edit appsettings.json as follow:
"WsFederation": { "IsEnabled": "true", "Authority": "https://sts.windows.net/{azureTenantId}/", "ClientId": "<GET IT FROM AZURE PORTAL>", "Tenant": "<GET IT FROM AZURE PORTAL>", "MetaDataAddress": "https://login.microsoftonline.com/{azureTenantId}/federationmetadata/2007-06/federationmetadata.xml" },
What is missing in your docs (and in Azure's docs too :D) is Authority property. It is not clear what is used for and where retrieve it! I found it debugging step-by-step your code and auth communication flow!
Last, you have to modify your Federation Metadata Manifest - from Azure Portal - to include the email claim otherwise ANZ auth flow can't recognize user info and goes in exception!
To do that, simply edit optionalClaims JSON property as follow:
"optionalClaims": { "idToken": [ { "name": "email", "source": null, "essential": true, "additionalProperties": [] } ], "accessToken": [ { "name": "email", "source": null, "essential": true, "additionalProperties": [] } ], "saml2Token": [] },
With this modifcations, authentication flow success and user were created in ANZ! But ... there is alway a last issue ... user was created with a strange username, due to the fact that somewere in the code something failed. But this is not an issue at all, because you (admin) have to login to ANZ for activate this newly user, so at same time, you can simply change its username!
JUST A LITTLE SUGGESTION to improve the usability. Bypass
CheckSelfRegistrationIsEnabled();
insideUserRegistrationManager.RegisterAsync
if user comefrom an External Provider. In this way you can disable users self-registration via login page to ensure application access only to a domain's users ... like an intranet!I did that adding an optional boolean argument to that method, that is used to conditionally call
CheckSelfRegistrationIsEnabled
, but I'm sure that you can do it better ... in a more fashioned way :D -
0
Thanks @simplexsrl for your valuable comments, we are trying to improve AspNet Zero's documentation and we will consider your suggestions.