Signout fails in samples with unknown tenant in error message

[toddheckel]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

1. Web app that signs in users
   1. with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg
   2. with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg
   3. with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal
   4. with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign
   5. with B2C users 1-WebApp-OIDC/1-5-B2C
2. Web app that calls Microsoft Graph
   1. Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph
   2. With specific token caches: 2-WebApp-graph-user/2-2-TokenCache
   3. Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph
3. Web app calling several APIs 3-WebApp-multi-APIs
4. Web app calling your own Web API 4-WebApp-your-API
5. Web app restricting users
   1. by Roles: 5-WebApp-AuthZ/5-1-Roles
   2. by Groups: 5-WebApp-AuthZ/5-2-Groups
6. Deployment to Azure
7. Other (please describe)

Repro-ing the issue

Repro steps

1. Clone sample 1-1 or 2-1.
2. Configure appsettings.json with app registration information:

{
    "AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
        "Domain": "microsoft.onmicrosoft.com",
        "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
        "ClientId": "7561a6e5-a4da-43d9-a920-a2194b9086bf",
        "CallbackPath": "/signin-oidc",
        "SignedOutCallbackPath ": "/signout-oidc"
    },
    "Logging": {
        "LogLevel": {
            "Default": "Information",
            "Microsoft": "Warning",
            "Microsoft.Hosting.Lifetime": "Information"
        }
    },
    "AllowedHosts": "*"
}

3. Run sample and attempt to sign out.

Expected behavior

1. App signs the user out and suggests closing all browser windows.

Actual behavior
Error AADSTS90002 is displayed with a reference to unknown tenant a39cd443-628d-4856-97f8-fd1718b5bbcb (see screenshot at the bottom).

Not sure if this is related, but I'm also somewhat confused by this setting in appsettings.json, which was originally:

        "SignedOutCallbackPath ": "/signout-callback-oidc"

The readme says to use "signout-oidc" as the logout url in the app registration, but changing this in appsettings.json (as shown above) seems to have no effect; the redirect url in all HTTP requests captured in Fiddler is "/signout-callback-oidc" regardless of the values in appsetting.json and the app registration, i.e.:
Request:

GET https://localhost:44321/MicrosoftIdentity/Account/SignOut HTTP/1.1
Host: localhost:44321
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36 Edg/83.0.478.54
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://localhost:44321/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
...

Response:

HTTP/1.1 302 Found
Date: Sat, 11 Jul 2020 22:10:22 GMT
Server: Kestrel
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A44321%2Fsignout-callback-oidc&state=CfDJ8Bju3ImRn7xCu7-KQDKKllxMPBQW97WpWZn9bjoUYv-MGegCgWENv5U1DbRHnuCI61vJChvzPQLcel-roF6fbdArKQv4JRsf1TdNPIEbWKJP7vCoPbjVuOF0uNYyfrToR1h7o-SgRbu9FXq1rhl3lvpTjUJVSjvQSAfgUPBXJoMnoFfvKIV5gNPvzuHJyvgDReX6XPyoEvY4rJ0Ax2dlDs0&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0
Set-Cookie: .AspNetCore.Cookies=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure; samesite=lax; httponly

• You can enable Middleware diagnostics by uncommenting the following lines
• You can enable personally identifiable information in your exceptions to get more information in the open id connect middleware see Seeing [PII is hidden] in log messages
• Logging for MSAL.NET is described at Loggin in MSAL.NET

OS and Version?

Windows 10

Versions

.NET Core: 3.1
Microsoft.Identity.Web: 0.1.5-preview

Attempting to troubleshooting yourself:

• did you go through the README.md in the folder where you found the issue? Yes
• did you go through the documentation:
  • Scenario: Web app that signs in users Yes
  • Scenario: Web app that calls web APIs Yes

---

Thanks! We'll be in touch soon.

[jmprieur]

@toddheckel
Would you be using the user secrets (right click on the project in Visual Studio, | manage user secrets) ?

[toddheckel]

No I am not using user secrets. This happens with minimal repro steps - just clone the repo, modify appsettings.json, and run.

I am also seeing similar behavior in a production service that is using MSAL directly.

[TiagoBrenck]

@toddheckel I have checked this app registration, https://ms.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Authentication/appId/7561a6e5-a4da-43d9-a920-a2194b9086bf/isMSAApp/, and it has a lot of different values for scopes and reply urls. than the ones mentioned in the sample Readme. I would suggest you creating another application with just the necessary values for the samples. I have it working on my personal testing tenant so the problem might be in this app 561a6e5-a4da-43d9-a920-a2194b9086bf registration.

[toddheckel]

I created a new app registration (client id fcac81a9-f560-4f60-a646-e83cdd936301), followed the exact steps in the readme to configure it, and tried again with sample 1-3 (since I'm working with accounts in any org / personal accounts) and still see the same thing when signing out.

Even stranger, however, is that I just saw the same thing attempting to log out of Partner Center with my work account on a different computer! So this might be something specific to the MS tenant.

[TiagoBrenck]

Could you help me understand where this Tenant a39cd443 is coming from?
The file that you shared earlier uses the MSFT tenant id instead. In which tenant do you want the application to be registered?

[toddheckel]

I have no idea where tenant a39cd443-628d-4856-97f8-fd1718b5bbcb is coming from, that's the big mystery here. I have only tried this with the MSFT tenant, both with an existing app registration and the new one I created per your request, using samples 1-1 and 1-3 (the code in Startup.cs is essentially identical). I have also tried with both "72f988bf-86f1-41af-91ab-2d7cd011db47" (MSFT tenant id) and "common" as the TenantId value in appsettings.json, with the same result.

[toddheckel]

This turned out to be an issue with Azure AD and a deleted tenant. Will provide Fiddler capture as discussed. Thanks!