I've developed a website that will be authenticating users against Azure Active Directory and have seen that on the production webserver which doesn't have https://login.microsoftonline.com/ whitelisted authentication fails with an "Unable to obtain configuration from https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration" error. I have always thought that what mattered was for authenticating users to have appropriate access to required AAD endpoints and until now I was missing that also the webserver needs to have access to AAD endpoints to download for example the OpenID configuration document as described here. I was wondering if the OpenID configuration can only be downloaded directly from AAD or if there is the option to download it manually and provided it offline to the website somehow.
==========
Setting of authentication and authorization in the ASP.NET application is as follows:
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy.
options.FallbackPolicy = options.DefaultPolicy;
});
and clearly I have my tenant and app registration configured appropriately in the application's appsettings.json file:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "<company>.onmicrosoft.com",
"TenantId": "<my-tenant-id>",
"ClientId": "<my-client-id>",
"CallbackPath": "/signin-oidc",
"ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
"ClientCertificates": []
}
==========
I believe the issue I'm facing is due to the fact that .NET libraries are making calls using HttpClient instances for which webproxy information is not set as I do in my custom code. How can I set webproxy information application wide ?
As suspected, the issue I was facing was indeed that http calls made internally by .NET libraries to the AAD endpoint (https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration) were failing going through our company's web proxies. I had to set the web proxy application-wide by making a call such as the following in my ASP.NET application to solve the immediate failure:
Environment.SetEnvironmentVariable("ALL_PROXY", $"{proxyAddress}:{proxyPort}");
After being able to reach the AAD endpoint, authentication of users started looping forever with a "System.Exception: An error was encountered while handling the remote login. ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application." error being logged in the application event log of my webserver. It proved that on the app registration required for authenticating users against AAD, I had not set the following option in the authentication pane of the app registration: