I've built an implementation of IdentityServer4, integrating ASP Identity running ASP.NET Core utilizing the Implicit Flow. (We're changing to an PKCE configuration later on, but whatever.) The application manages user signins across multiple web applications running ASP.NET/AngularJS/OIDC-Client. When running everything locally on IIS Express, everything works as intended. I can login, logout, silently refresh, life is good. However, after deploying to Azure - I get stuck in an infinite redirect loop attempting to log in and I'm at my wits' end.
The first call to a protected web resource redirects me back to the login service. That's fine. After logging in, I'm sent to the web resource as expected - but, here is where the redirect loop begins.
From the IdentityServer logs on Application Insights I read messages like;
Client list checked and origin: "https://webapp.net" is allowed.CorsPolicyService allowed origin: "https://webapp.net"Client configuration validation for client "webclient" succeeded.Token validation success
I can see that the claim types and user info contains espected values, and the GET request to "https://loginservice.net/-well-known/openid-configuration" returns OK (with the expected configurations). I've also verified that the access and id tokens are valid, again containing the expected data.
But, the POST request to "https://loginservice.net/connect/accesstokenvalidation" still fails with a 404.
The OIDC-Client on my web app is configured like this:
vm.userManager = new Oidc.UserManager({
authority: authorityUrl,
redirect_uri: windowLocation + '/callback.html',
silent_redirect_uri: windowLocation + '/silent.html',
post_logout_redirect_uri: windowLocation + '/index.html',
client_id: 'appsimplicit',
scope: 'openid profile role appsmanagement',
response_type: 'id_token token',
revokeAccessTokenOnSignout: true,
automaticSilentRenew: true,
filterProtocolClaims: true,
checkSessionInterval: 2000
});
My callback.html looks like this:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<script src="/js/oidc-client.min.js"></script>
<script>
new Oidc.UserManager().signinRedirectCallback().then(function(user) {
window.location = window.location.protocol + "//" + window.location.host + "/";
}).catch(function(err) {
console.log(err.message);
});
</script>
</body>
</html>
What can I do to fix this? The same behaviour persists across different browsers; Firefox, Chrome, Edge.. I have no idea why it works locally but not deployed to Azure.
