Facing Common endpoint error

[KalyanChanumolu-MSFT]

The instructions here don't specifically mention which supported account type to choose.
I selected "Personal Microsoft account users" since the article is related to configuring Microsoft Logins

But this results in an error.

I believe this is because of MSAL now using a common endpoint?

Creating a new App Registration with supported account type as "All Microsoft account users" works with any errors

We should update the documentation accordingly.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: a4c264c0-0c5c-298e-bb45-9b4891c8d162
• Version Independent ID: ce69b990-0b4c-abda-cd2d-68f85cd8031e
• Content: Microsoft Account external login setup with ASP.NET Core
• Content Source: aspnetcore/security/authentication/social/microsoft-logins.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @Rick-Anderson
• Microsoft Alias: riande

[KalyanChanumolu-MSFT]

#assign @Rick-Anderson @01binary

[01binary]

Looks simple, I can do it this evening. I don't have a project to test with anymore, but I will change exactly the way it was suggested.

[Rick-Anderson]

@KalyanChanumolu-MSFT

But this results in an error.
Next time paste in text rather than an image.

I tested this a month ago with personal and it worked.

[KalyanChanumolu-MSFT]

@Rick-Anderson Here is the text

Exception: invalid_request;Description=The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.

@01binary I have the sample. I will send it to you.

[01binary]

It sounds like the Microsoft Account OAuth provider is using a "common" endpoint, which makes sense. It's optimized for the "common case" of someone trying to login with Xbox, Outlook, or similar account.

The instructions that send you to Azure Active Directory to create a compatible App Registration should mention that you need to select a specific type that would be supported by the OAuth provider:

Haven't tried the code yet, but these options are reflected in App Registration manifest as follows:

• Audience: AzureADMyOrg (Single Tenant), URL = https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize
• Audience: AzureADMultipleOrgs (Multitenant), URL = https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
• Audience: AzureADandPersonalMicrosoftAccount (Multi and Personal), URL = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
• Audience: PersonalMicrosoftAccount (Personal Only), URL = https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize

The URL can be found by going to Overview page for App Registration and clicking "Endpoints" button.

The OAuth provider for MS Account uses:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

See https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/MicrosoftAccount/src/MicrosoftAccountDefaults.cs#L13

I conclude therefore that the MS Account provider is hardwired to use "AzureADAndPersonalMicrosoftAccount" App Registration Audience, which is called "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" in Azure portal when creating a new App Registration. It seems like people should know that when they are going to use the Microsoft Account provider, then the App Registration that can work with it has to be created a certain way by picking the above option.

[01binary]

Trial results with various types of App Registrations, using MS Account provider and Blazor app I got from OP.

• "Accounts in This Directory Only (Single Tenant)" selected when creating App Registration

unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.

I assume it's because Single Tenant must use Tenant ID in the URL, and since the MS Account provider is hardwired to use the common URL which does not contain a Tenant ID, it fails to find the App Registration specified by Client ID. This is expected.

• "Accounts in Any Directory (Multitenant)" selected when creating App Registration

The OAuth dialog is shown with a UI error that says You can't sign in here with a personal account. Use your work or school account instead. I selected my work account and it accepted the choice. This is expected.

• "Accounts in Any Directory and Personal Accounts" selected when creating App Registration

The OAuth dialog is shown, no error. Logs in successfully.

• "Personal Only" selected when creating App Registration

Exception: invalid_request;Description=The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.

This error is the reason why we should explicitly call out which App Registration type will work with MS Account provider.

[01binary]

I recommend the following change under the bullet point that says "Pick a supported account type":

• The Microsoft.AspNetCore.Authentication.MicrosoftAccount package supports only App Registrations created using "Accounts in any organizational directory" or "Accounts in any organizational directory and Microsoft accounts" options.

I have to sync my fork and create a pull request, etc.

[KalyanChanumolu-MSFT]

@01binary This is great.

@Rick-Anderson What would be the recommendation for customers that need to target "Microsoft Accounts only"?

[Rick-Anderson]

What would be the recommendation for customers that need to target "Microsoft Accounts only"?

I think you'd need to scaffold Identity and write you own code to handle that. @Tratcher who's the right person to answer this question?

[Tratcher]

It should just be a matter of the developer setting
AuthorizationEndpoint to the right value, but I don't know what that is at the moment. I'll check.

[01binary]

I suspected that was configurable (just the constant was hard-coded) but haven't looked there again. The OAuth URL for "Personal Microsoft Accounts Only" is https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize. You can verify by creating an App Registration with that type, going to its Overview page, and clicking "Endpoints" button. Make sure the App Registration has "signInAudience": "PersonalMicrosoftAccount" in its Manifest, which means it's been created with that Personal type.

Here's what I got:

OAuth 2.0 authorization endpoint (v2): https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
OAuth 2.0 token endpoint (v2): https://login.microsoftonline.com/consumers/oauth2/v2.0/token
OpenID Connect metadata document: https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration

[Tratcher]

Ah, great. Yes, update the MicrosoftAccountOptions AuthorizationEndpoint and TokenEndpoint and re-validate.

[01binary]

I failed to sync my fork, so I re-created and re-cloned everything - sorry for the delay.

[KalyanChanumolu-MSFT]

Thank you @01binary @Rick-Anderson

[fakiriayoub]

I suspected that was configurable (just the constant was hard-coded) but haven't looked there again. The OAuth URL for "Personal Microsoft Accounts Only" is https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize. You can verify by creating an App Registration with that type, going to its Overview page, and clicking "Endpoints" button. Make sure the App Registration has "signInAudience": "PersonalMicrosoftAccount" in its Manifest, which means it's been created with that Personal type.

Here's what I got:

OAuth 2.0 authorization endpoint (v2): https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize OAuth 2.0 token endpoint (v2): https://login.microsoftonline.com/consumers/oauth2/v2.0/token OpenID Connect metadata document: https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration

Good it's work for me, thank's