Microsoft Authentication doesn't recognize redirect url property

Question

I have a problem with my asp .net webapp Im developing right now. I added the possibilty to login with a microsoft account. But I have the problem, that it doesn't take my custom redirect url. In my Azure Ad application the redirect url is configured to /Profile, but the request redirect url it gets from my login button is everytime /signin-microsoft

My Authentication in my startup.cs looks like this

services.AddAuthentication("Cookies")
                .AddCookie(opt =>
                {
                    opt.Cookie.Name = "AuthCookie";

                })
                .AddMicrosoftAccount(opt => {
                    opt.SignInScheme = "Cookies";
                    opt.AuthorizationEndpoint = _configuration["AzureAd:AuthorizationEndpoint"];
                    opt.TokenEndpoint = _configuration["AzureAd:TokenEndpoint"];
                    opt.ClientId = _configuration["AzureAd:ClientId"];
                    opt.ClientSecret = _configuration["AzureAd:ClientSecret"];

                });

I dont know if this is important but my used options in applicationsettings are:

"AzureAd": {
    "ClientId": "<clientId>",
    "ClientSecret": "<clientSecret>",
    "AuthorizationEndpoint":"https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/authorize",
    "TokenEndpoint": "https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token"
  }

Ofc i entered the correct IDs in this

My Login Controller:

[HttpGet("microsoft")]
        public async Task<ActionResult>Login(string RedirectUri)
        {
            AuthenticationProperties props = new AuthenticationProperties
            {
                RedirectUri = RedirectUri
            };
            return Challenge(props, MicrosoftAccountDefaults.AuthenticationScheme);
        }

And my login button:

<NotAuthorized>
   <li class="nav-item">
       <a class="nav-link" href="Login/microsoft?RedirectUri=/Profile">
            Login
       </a>
   </li>
</NotAuthorized>

As you can see the Redirect paramenter should be /profile and I set it also in the Authentication Properties to this value, but when i click the login button the url is always:
https://login.microsoftonline.com/%5C\<tenantId>/oauth2/v2.0/authorize...&redirect_uri=https%3A%2F%2Flocalhost%3A5000%2Fsignin-microsoft&...

So why doesnt it take /Profile as redirect Url?

It is expected that the redirect uri parameter is localhost:5000/Profile

score 0 · Answer 1 · answered Feb 06 '23 at 12:13

I tried to reproduce the same in my environment.

Make sure to use the following in the order in startup.cs

  app.UseAuthentication();
    //app.UseIdentityServer();
         app.UseAuthorization();

When I configure it the other way:

     app.UseAuthorization();    
app.UseAuthentication();
//app.UseIdentityServer();

I was continuously redirected to the Microsoft login page even after signing in.

Make sure the redirect must have the below format: pattern: "{controller=Home}/{action=Index}/"); i.e;

RedirectUri = "/home/about"

Or

RedirectUri = "/home/profile"

Below is the result ,if action part is directly requested in browser.

Always recheck and set the redirects in the portal such that it matches the redirects in your code.

In startup.cs , include the scopes required for the operations.

public void ConfigureServices(IServiceCollection services)
        {
       …..
services.AddAuthentication(options =>
{
    options.DefaultChallengeScheme = MicrosoftAccountDefaults.AuthenticationScheme;
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(option =>
{
    option.Cookie.Name = ".myAuth"; //optional setting
})
.AddMicrosoftAccount(microsoftOptions =>
{
                o.ClientId = Configuration["microsoftaccount:clientid"];
                o.ClientSecret = Configuration["microsoftaccount:clientsecret"];
                o.SaveTokens = true;
                o.Scope.Add("offline_access profile ");
                o.CallbackPath ("/signin-oidc"); //microsoft-signin
                o.Events = new OAuthEvents()
                {
                    OnRemoteFailure = HandleOnRemoteFailure
                };
            })
         …..

}

The scopes for delegated Api permissions required must be granted admin consent .