debugging or error log for UseWindowsAzureActiveDirectoryBearerAuthentication in a azure web site?

Question

I have an asp.net azure web api site, say myapi.azuresites.net, and my custom domain is myapi.mycompany.net. In my web api, I use owin middleware to validate incoming token

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Tenant = Constants.AzureActiveDirectoryTenant,
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateAudience = true,
                        // These values will be checked against what is received in the access token.
                        ValidAudiences = Constants.AzureActiveDirectoryValidAudiences
                    },
                    Provider = new OAuthBearerAuthenticationProviderEx()
                });

I registered an app under azure AD and add some client secret in.

From postman, I can get an oauth2 token from Azure AD with the App id and the client secret.
I included this token in the header and sends to my azure web api.
My code uses owin middleware to validate the token
If I send the request to myapi.mycompany.net, the token validation works.
If I send the request to myapi.azuresites.net, the token validation fails.

I can't really figure out why the token validation fails when calling azure site directly. If I grab the azure site's web.config down to my local machine and it works there as well. I suspected that my AD app didn't have the right redirect URLs, but verified that and can't see obvious issue.

So is there a way to log some information on why authentication fails? As it is a remote azure site, can I trap this failure as exception and throw some out?

so odd, I worked out a way to add some log, but then the authentication just worked — daxu, Mar 02 '21 at 17:29
You can send your modified content as an answer, which can help more forum users who encounter similar problems. — Jason Pan, Mar 03 '21 at 01:36

score 1 · Answer 1 · answered Mar 03 '21 at 21:22

Although not sure why my AD authentication works now, I did find a way to log owin failures for azure site. Basically this will log owin information

<system.diagnostics>
    <trace autoflush="true"/>
    <sources>
      <source name="Microsoft.Owin">
        <listeners>
          <add name="KatanaListener"/>
        </listeners>
      </source>
    </sources>
    <sharedListeners>
      <add name="KatanaListener" 
type="System.Diagnostics.TextWriterTraceListener"
 initializeData="d:\home\logfiles\Katana.trace.log"
traceOutputOptions="ProcessId, DateTime"/>
    </sharedListeners>
    <switches>
      <add name="Microsoft.Owin" value="Verbose"/>
    </switches>
  </system.diagnostics>

debugging or error log for UseWindowsAzureActiveDirectoryBearerAuthentication in a azure web site?

1 Answers1