0

I am trying to follow sample WebApp-WebApi-OIDC but it gets stuck in infinite loop during authentication when calling WebApi. Following code in MVC TodoListController leads to this weird behavior:

if (Request.QueryString["reauth"] == "True") {
    HttpContext.GetOwinContext().Authentication.Challenge(
      new AuthenticationProperties(),
      OpenIdConnectAuthenticationDefaults.AuthenticationType);
}

I also tried following SystemWebCookieManager workaround but it didn't help.

Is there a known bug or am I not implementing it correctly?

Thanks!

Sam
  • 519
  • 1
  • 7
  • 32

2 Answers2

0

The code sample works well for me. The code you mentioned above is executed when the code caught the AdalException.

Which line of code cause this issue? Did you also get the TokenCache issue in this code sample you have mentioned in this post?

Please ensure that you can acquire the token in TodoListController successfully.

Community
  • 1
  • 1
Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • The application works fine for all areas like About, Home, Profile, Contact, Sign in and Sign out. Except for the To Do List. When I click this link from UI, it displays **Sign-in required to view to do list** and a sign-in link. When I click that link, it gets stuck in infinite loop and never comes back. So I don't think it is the same issue which i had because Profile and other areas works fine. – Sam Jan 27 '17 at 16:02
  • Forgot to mention that I am using the suggested ADAL nuget package version. So I don't think this is the same issue because it works in other areas which make use of SessionCache and successfully acquires and stores the token. – Sam Jan 27 '17 at 16:54
  • After more debugging I found that `result = await authContext.AcquireTokenSilentAsync(todoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));` always fails and throws exception. The catch block sends it to login and OIDC middleware returns to same controller again. And this goes on and on. The inner exception of the base AdalException is _AADSTS65001: The user or administrator has not consented to use the application with ID 'xx-xx'. Send an interactive authorization request for this user and resource._ – Sam Jan 27 '17 at 19:21
  • Got rid of above error after adding Windows AAD > Read directory data permissions to website app. Now I am able to acquire token silently but Api call still fails returning Unauthrozed response as status code. – Sam Jan 27 '17 at 20:40
  • Fixed it by changing the Api App ID format used in web config file. Is storing tokens in Session via NaiveSessionCache OK or is there a better alternative or design consideration? – Sam Jan 27 '17 at 20:53
  • Glad to hear the issue was resolved. The same problem about token cache also well discussed [here](http://stackoverflow.com/questions/41864737/is-it-ok-to-use-naivesessioncache-from-azure-samples-azure-active-directory-open). And it is very helpful if you can compose the steps as a answer so that other community who have the same issue could recolonize the answer easily. – Fei Xue Jan 30 '17 at 06:49
0

So these are steps I took to fix the issue for anyone interested:

  • I leveraged System.Web cookies instead of relying on default Owin cookie implementation. Details are here.
  • Make sure you are not referencing the buggy ADAL.net nuget package. Instead refer version mentioned in this post.
  • Configure proper permissions to AAD application which is associated with your web app. These are two I configured:
    • Access TodoListService as delegated permission.
    • Read directory data for Windows Azure Active Directory as application permission.
  • Make sure the AppId in web site's config file for todo:TodoListResourceid appsettings key matches with what you have configured in AAD application associated with todoList webapi service. And also should be same as you specified in VS WebApis project ida:Audience appSetting. The format which I used is 
https://{tenant}/{appName}
Community
  • 1
  • 1
Sam
  • 519
  • 1
  • 7
  • 32