Non-standard redirect address for Login

[KurtP20]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I started with a Blazor Template with Authentication and added MS as an external authentication provider. When I enter the redirect URL https://localhost:7274/signin-oidc on Azure App registration, it get an error AADSTS900971: No reply address provided.

cc: @guardrex dotnet/AspNetCore.Docs#34992

Expected Behavior

I expect that /signin-oidc is the correct return address as mentioned here under Web platform.

Login works if I manually add the return path like:

builder.Services.AddAuthentication(...)
    .AddMicrosoftAccount(microsoftOptions =>
    {
        microsoftOptions.ClientId = builder.Configuration["Authentication:Microsoft:ClientId"];
        microsoftOptions.ClientSecret = builder.Configuration["Authentication:Microsoft:ClientSecret"];
        var tenantId = builder.Configuration["Authentication:Microsoft:TenantId"];
        microsoftOptions.AuthorizationEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize";
        microsoftOptions.TokenEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
        microsoftOptions.CallbackPath = new PathString("/signin-oidc");
    })
    .AddIdentityCookies();

Maybe the way I specify the TenantId is causing the issue, but I could not find more documentation on this. As far as I can tell, /signin-oidc is not the standard return path.

Steps To Reproduce

• Start from a Blazor Web App template with Authentication,
• add Microsoft.AspNetCore.Authentication.MicrosoftAccount NuGet,
• register https://localhost:7274/signin-oidc as a return address in Azure App registration,
• add Microsoft Authentication provider in Program.cs as stated above.

When logging in, I got the above error.

Here is the repo, just add user secrets: https://github.com/KurtP20/testReturnAdr

Exceptions (if any)

No response

.NET Version

9.0.201

Anything else?

No response

[MackinnonBuck]

Thanks for reaching out.

Rather than using AddMicrosoftAccount, we recommend using AddMicrosoftIdentityWebApp which is part of the Microsoft.Identity.Web package owned by the Entra team who created the doc here that you linked to earlier.

AddMicrosoftAccount uses "/signin-microsoft" as the default callback path while AddMicrosoftIdentityWebApp uses "/signin-oidc". The Entra docs reference "/signin-oidc" because that's what their AddMicrosoftIdentityWebApp API uses.

See our docs at https://learn.microsoft.com/aspnet/core/blazor/security/blazor-web-app-with-entra?view=aspnetcore-9.0. Could you please try this out and let us know if this works?

[dotnet-policy-service]

Hi @KurtP20. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[KurtP20]

Hi @MackinnonBuck. Thanks for pointing me to the right documentation, I upvote for removing the outdated page as suggested by @halter73 here.

I followed the steps described in the docs mentioned above and it seems to work. One thing I noticed was that the Blazor Web App template with Authorization uses builder.Services.AddAuthentication(...).AddIdentityCookies(). When I change that to builder.Services.AddAuthentication(...).AddMicrosoftIdentityWebApp(...).AddIdentityCookies(), I get an error: _'IConfigurationSection' does not contain a definition for 'AddIdentityCookies', so I had to use

builder.Services.AddAuthentication(...).AddMicrosoftIdentityWebApp(...);
builder.Services.AddAuthentication().AddIdentityCookies();

Not sure what AddIdentityCookies does, but since it was in the template, I guess it should stay there. Without it, I get: No sign-out authentication handler is registered for the scheme 'Identity.External'. The registered sign-out schemes are: Cookies, OpenIdConnect. Did you forget to call AddAuthentication().AddCookie("Identity.External",...)?.

Thanks for your support!

[KurtP20]

@MackinnonBuck It turns out I closed the issue prematurely as login with local Identity accounts and external MS Entra did not work as expected. After long hours I found this comment describing that cookieScheme: null is required to let Identity manage the cookies instead of the external provider. Maybe you can add a section to the docs describing how to setup login with Entra and Identity.

This is what worked for me in the end:

// use authBuilder to add MSIdentityWebApp and IdentityCookies on the _same_ authentication builder, else the later call might override the earlier call (not sure this is really necessary)
// Using options.DefaultScheme = OpenIdConnectDefaults.AuthenticationScheme; lets me login with Entra, but not with the local account
// Using options.DefaultScheme = IdentityConstants.ApplicationScheme; lets me login with the local account, but not with Entra
// Using any value for options.DefaultChallengeScheme did not help.
// Using options.DefaultScheme = OpenIdConnectDefaults.AuthenticationScheme; and cookieScheme: null workes for both Entra and local account
var authBuilder = builder.Services.AddAuthentication(options =>
    {
        options.DefaultScheme = IdentityConstants.ApplicationScheme;
        options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
    });

authBuilder.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"),
                                       cookieScheme: null);
authBuilder.AddIdentityCookies();

Additionally, I misunderstood the docs stating that the ID token should be disabled. I had to enable it as described in this comment. Apparently, the docs are not written for Blazor Web Apps. For me, this was (and still is a bit) confusing.