Microsoft sign in works without redirect url
When I sign in with Microsoft OAuth in my Blazor app, authenticateResult.Succeeded is true, even if I don't specify a redirect URI. It's failing as intended for Google, if I don't add my URI to the OAuth client.
Imo it shouldn't work without that redirect URI, according to the OAuth2.0 spec:
The authorization server MUST require public clients and SHOULD require confidential clients to register their redirection URIs.
I'm using Microsoft.AspNetCore.Authentication.MicrosoftAccount 3.0.3 with .NET Core 3.0
public class ExternalLoginModel : PageModel { public IActionResult OnGetAsync(string externalAuthType, string returnUrl) { var authenticationProperties = new AuthenticationProperties { RedirectUri = Url.Page("./externallogin", pageHandler: "Callback", values: new { returnUrl }), }; return new ChallengeResult(externalAuthType, authenticationProperties); } public async Task<IActionResult> OnGetCallbackAsync( string returnUrl = null, string remoteError = null) { var authenticateResult = await HttpContext.AuthenticateAsync("External"); if (!authenticateResult.Succeeded) // Should be false for Microsoft sign in return BadRequest(); ... return LocalRedirect(returnUrl); } }
With the following added to my Startup:
services.AddAuthentication(o =>
{
o.DefaultSignInScheme = "External";
}).AddCookie("External");
services.AddAuthentication().AddGoogle(google =>
{
google.ClientId = Configuration["Authentication:Google:ClientId"];
google.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
});
services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
{
microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ClientId"];
microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:ClientSecret"];
});
My App's Authentication settings look like this (I'm actually using localhost:12345 in the settings, but that's not what my app is running on..):
Ironically the last sentence might explain it, but I don't even know which flow the MicrosoftAccount library is using and I only get generic documentation when googling.
It fails as intended when using a completely different domain, not localhost with different ports. I guess that's good enough.
Additionally I unchecked "ID token" and "Treat application as a public client", therefore Authorization code flow should be used, to my understanding.
- Fetch access token from authorization header without bearer prefix
- How to sign in .NET 9 or using BouncyCastle 2.6.0
- How to use Windows authentication with the Scaffold-DbContext command?
- Adding Docker Support - "solution file must be located in the same folder or a higher folder..."
- Visual Studio Publish looking for dependent dll in wrong folder
- How to get class library assembly reference in .NET Core project?
- Accessing AutoCAD 2025 with COM Interop results in an error
- AWS gets empty SSM parameter list from LocalStack
- Diagnose a frozen ASP.NET Core process
- Route specific response compression in dotnet core 2 asp .net?
- How to use a custom attribute on an assembly in .NET Core 1.1
- Is changing a parameter from dynamic to object a breaking change?
- How can I simultaneously load 5.0 and 4.7.2 projects in Rider?
- How to know if I running under .NET Framework or .NET Core
- Issue with azure web app runtime stack .NET 6
- .NET 8 C# Soap client not working after upgrading Soap server to use TLS 1.2
- Newly created .msg not sendable
- Create Singleton instance in MEF2
- Activator.CreateInstanceFrom fails on dependencies
- How to call ThenInclude twice in EF Core?
- Conditional per TargetFramework in MsBuild 15
- Unable to install packages using dotnet add package
- Finding expired ssl certificate used by my website in local development
- Determine which .NET Core runtime is needed
- How to get a ReadOnlySpan<byte> from a readonly struct?
- openiddict - "The signing key associated to the specified token was not found"
- How to Unit Test with ActionResult<T>?
- Azure Function under premium plan is raising those warnings; Possible thread pool starvation detected & DrainMode mode enabled
- Optional [FromServices] in an action method?
- Ef Core: ToHashSetAsync()