0

I have an ASP.NET Core 3.1 web API application that is protected by Azure Authentication. I also have an Angular 11 application that calls the web API.

They work fine on our integration environment. But authentication fails on the test environment.

The Angular app authenticates fine using msal-angular library, it gets the access token and includes it when calling the web API. But the web API fails to retrieve the identity from the bearer token.

After deleting and recreating both (frontend and backend) Azure APP registrations several times and after reconfiguring them, the authentication still fails. I don't know what is the cause, so this is why I need to diagnose it.

I have enabled JwtBearerMiddlewareDiagnosticsEvents and I can see 'Begin OnAuthenticationFailedAsync' and 'End OnAuthenticationFailedAsync' on the logs. But it isn't enough information. It tells you no more that the events are raised, no additional information.

I've read the following article on documentation that tells you how to configure logging in MSAL.NET, but I don't think it's applicable to web API.

https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-logging-dotnet

So the question is: How can I figure out why the authentication is failing? Is there any way to log the cause?

UPDATE:

I'm closer, I set log level to trace and now I see the following on the log of asp.net core web api app:

IDX10511: Signature validation failed. Keys tried: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. \nkid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]

UPDATE:

I get the following error:

Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: '242e8f40-d795-43bc-8ac8-8eed3df71745'. Did not match: validationParameters.ValidAudience: 'b99e89fc-8a1c-4605-8c18-796d7064037e' or validationParameters.ValidAudiences: 'null'.

'242e8f40-d795-43bc-8ac8-8eed3df71745' is the AppId on the web api app registration manifest.

'b99e89fc-8a1c-4605-8c18-796d7064037e' is the client id of the web api registration.

The scope is 'api://242e8f40-d795-43bc-8ac8-8eed3df71745/api-access'.

This is how I set the scope:

export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string>>();
  protectedResourceMap.set('https://api.example.com/*', ['api://242e8f40-d795-43bc-8ac8-8eed3df71745/api-access']);
  return {
    interactionType: InteractionType.Popup,
    protectedResourceMap
  };
}

export function MSALGuardConfigFactory(): MsalGuardConfiguration {
  return {
    interactionType: InteractionType.Popup,
    authRequest: {
      scopes: ['api://242e8f40-d795-43bc-8ac8-8eed3df71745/api-access']
    },
    loginFailedRoute: '/login-failed'
  };
}
Jesús López
  • 8,338
  • 7
  • 40
  • 66
  • I'm wondering on working system if you delete cookies will code still work. Can you try building a new system on working system and see if it works. – jdweng May 13 '21 at 14:01
  • @jdweng it works fine on Chrome incognito window – Jesús López May 13 '21 at 14:03
  • Maybe you need to add a http header (useragent) to your request. See : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent?force_isolation=true – jdweng May 13 '21 at 14:08
  • You may also have a TLS issue. Adding static method at beginning of code sometimes will solve issue : ServicePointManager.SecurityProtocol | SecurityProtocolType.Tls12; – jdweng May 13 '21 at 14:11
  • @jdweng user agent header is sent automatically by Chrome. And I can see it on our logs, we log every request. – Jesús López May 13 '21 at 14:13
  • But not in a c# application unless you use the useragent. Does your logs show the useragent when using c#. – jdweng May 13 '21 at 14:20
  • @jdweng I'm calling the web api from Angular. I'm not calling any web api from c#. The web api receives the bearer token from Angular, but it fails to retrieve the identity from it – Jesús López May 13 '21 at 14:24
  • What is the Chrome Window connecting to? Is it Angular or the Web Api? – jdweng May 13 '21 at 14:37
  • @jdweng the Chrome Windows shows an Angular App that calls web api (asp.net core 3.1) – Jesús López May 13 '21 at 14:45
  • Chrome is calling Angular just like you are doing from c#. The headers in Chrome are different than the default http headers in c#. So you have to make the headers in c# match the Chrome headers. Try using a sniffer like wireshark or fiddler and compare the http headers in Chrome and c#. Also if https (secure is being used) check the TLS version in both Chrome and c#. – jdweng May 13 '21 at 14:56
  • @jdweng Chrome is executing an Angular application. I'm not calling Angular from c#, it has no sense. I'm not making any web request from c#, so no headers at all – Jesús López May 13 '21 at 14:59
  • From your link I've found sample code that was updated a month ago and uses a token : https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Controllers/HomeController.cs – jdweng May 13 '21 at 15:14
  • I have answered similar questions before, and this is usually an error caused by `scope`. How do you set up the `scope`? – Carl Zhao May 14 '21 at 01:38
  • @CarlZhao : The authentication is working since it works using Chrome and not c#. – jdweng May 14 '21 at 01:50
  • @jdweng I know that op does not use c#, but if you want to request a token and call api, then the scope must be set, Isn't it? – Carl Zhao May 14 '21 at 02:00
  • @CarlZhao please see my edit – Jesús López May 14 '21 at 06:23
  • @JesúsLópez Don't use the `api://` prefix, just use `242e8f40-d795-43bc-8ac8-8eed3df71745/api-access`. – Carl Zhao May 14 '21 at 06:32
  • @CarlZhao still the same error – Jesús López May 14 '21 at 06:53
  • Let me confirm with you again, do you have two applications in Azure ad, one is a web api application(242e8f40-d795-43bc-8ac8-8eed3df71745), and then you expose the api of the application, and the other is an Angular 11 application(b99e89fc-8a1c-4605-8c18-796d7064037e) as a client? – Carl Zhao May 14 '21 at 07:01
  • @CarlZhao, I checked the configuration and It was wrong. Now bearer is validated and authenticated. Thank you – Jesús López May 14 '21 at 08:08
  • @CarlZhao : Not at client. We know the server is configured properly since Chrome is working. So either TLS is failing or a HTTP header is different between Chome and c#. I don't know if we should believe the exception message is accurate. Most likely the error is being generated by a timeout. So all we really know is that the connection did not complete. – jdweng May 14 '21 at 08:10
  • @JesúsLópez What do you say is wrong? Has your problem been solved? – Carl Zhao May 14 '21 at 08:24
  • @CarlZhao, the configuration was wrong on web api app. However after fixing it and even though I see bearer authenticated and validated logs, context.User.Identity was anonymous. I deleted both app registrations, recreate them once again, reconfigure angular and web app api, deploy, and everything works fine now. Problem solved. I don't know what was wrong though. – Jesús López May 14 '21 at 09:14
  • @JesúsLópez This should be some configuration error, but in short the problem is solved. I summarized our comment and posted it as an answer, and you can accept it to end the thread. – Carl Zhao May 14 '21 at 09:40

1 Answers1

1

Your problem has been solved. The problem is that the configuration of the web api is wrong. You need to create them again and reconfigure .

According to my experience, you need to create two applications in Azure, one representing the web api application and the other representing the client application (ie Angular 11 application).

Then you need to expose the api of the web api application in Azure and add the Angular 11 application as a client application to the web api application.

Finally, when requesting an access token, you need to set the scope to: api://{web api client id}/{scope name}.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19