I'm trying to authenticate a user so that he can use the MS Graph API. I'm using the Integrated Windows Provider method.
When the application is deployed on a server, it doesn't work, because it's using the user of the Application Pool, not the Windows user; which is the normal Core behaviour.
To authenticate with my Windows user, I'm using the impersonation mechanism with this code:
var clientApp = PublicClientApplicationBuilder
.Create(_apiSettings.Value.AzureClientId)
.WithTenantId(_apiSettings.Value.AzureTenantId)
.Build();
var user = (WindowsIdentity)HttpContext.User.Identity;
AuthenticationResult token = null;
WindowsIdentity.RunImpersonated(user.AccessToken, () =>
{
token = clientApp.AcquireTokenByIntegratedWindowsAuth(new string[] { _apiSettings.Value.MicrosoftGraphApiScopeUrl }).ExecuteAsync().Result;
});
Unfortunately, it gives me this error:
System.AggregateException: One or more errors occurred. (There was an error parsing WS-Trust response from the endpoint. This may occur if there is an issue with your ADFS configuration. See https://aka.ms/msal-net-iwa-troubleshooting for more details. Error Message: Federated service at https://... ---> MSAL.NetCore.4.36.2.0.MsalClientException: ErrorCode: parsing_wstrust_response_failed
I'm pretty sure that this error comes from the fact that my app tries to connect to a local proxy (Fiddler) that makes the call to the MS Api, which doesn't like that there is a "man in the middle" and then gives this error.
But what I don't understand is that I removed the connection to the proxy. To connect to the proxy, I had to use the WithHttpClientFactory(IMsalHttpClientFactory) method of PublicClientApplicationBuilder, and set a WebProxy there.
But after I was done testing, I removed this code, and any reference to the proxy.
If I publish the exact same app on my server, without the RunImpersonated section, the app doesn't try to connect to the proxy. But as soon as I put this section of code, it does, and it fails because of security issues.
So, to clarify, with this code, I'm not having the "parsing_wstrust_response_failed" error:
var clientApp = PublicClientApplicationBuilder
.Create(_apiSettings.Value.AzureClientId)
.WithTenantId(_apiSettings.Value.AzureTenantId)
.Build();
AuthenticationResult token = clientApp.AcquireTokenByIntegratedWindowsAuth(new string[] { _apiSettings.Value.MicrosoftGraphApiScopeUrl }).ExecuteAsync().Result;
But with this code, I do have the error:
var clientApp = PublicClientApplicationBuilder
.Create(_apiSettings.Value.AzureClientId)
.WithTenantId(_apiSettings.Value.AzureTenantId)
.Build();
var user = (WindowsIdentity)HttpContext.User.Identity;
AuthenticationResult token = null;
WindowsIdentity.RunImpersonated(user.AccessToken, () =>
{
token = clientApp.AcquireTokenByIntegratedWindowsAuth(new string[] { _apiSettings.Value.MicrosoftGraphApiScopeUrl }).ExecuteAsync().Result;
});
Why this "WindowsIdentity.RunImpersonated" section would try to connect to a local proxy is a mistery to me.
What can I do ?
Thanks!
