0

I am trying to get YARP and Microsoft.Identity.Web to play together. But I am getting: invalid_request: the provided value for the input parameter 'redirect_uri' is not valid

it works if I connect the Microsoft.Identity.Web to the api directly so it seems like a YARP config or so.

//program.cs
builder.Services.AddControllers();

// Add services to the container.

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
    .AddOpenIdConnect(config =>
    {
        config.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        config.Authority = "https://login.microsoftonline.com/common/v2.0/";
        config.ClientId = "client-id";
        config.ClientSecret = "client-secret";
        config.ResponseType = "code";
        config.Scope.Add("custom-scope");
        config.Scope.Add("openid");
        config.Scope.Add("profile");
        config.ClaimActions.Add(new DeleteClaimAction("s_hash"));
        config.ClaimActions.Add(new DeleteClaimAction("sid"));
        config.ClaimActions.Add(new DeleteClaimAction("auth_time"));
        config.ClaimActions.Add(new DeleteClaimAction("amr"));
        config.CallbackPath = "/signin-oidc";
        config.Events.OnTokenValidated += context =>
        {
            var logger = context.Request.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>().CreateLogger("TokenValidation");
            logger.LogInformation("Upstream token: {Token}", context.SecurityToken.RawData);
            return Task.CompletedTask;
        };
    })
    .AddCookie(x => x.LoginPath = "/login");
builder.Services.AddAuthorization();


builder.Services.AddReverseProxy()
    .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"))
    .AddTransforms(context =>
    {
        context.RequestTransforms.Add(new RequestHeaderRemoveTransform("Cookie"));
    });

var app = builder.Build();

// Configure the HTTP request pipeline.

app.UseHttpsRedirection();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.MapReverseProxy();

app.Run();

Azure client config: enter image description here

YARP config:

ReverseProxy:
  Routes:
    api-locked:
      ClusterId: apiservice
      AuthorizationPolicy: default
      Match:
        Path: "/api/v1/about"
    apiservice:
      ClusterId: apiservice
      Match:
        Path: "/api/{**catch-all}"
  Clusters:
    apiservice:
      Destinations:
        apiservice-1:
          Address: https://localhost:7148/

browser url: https://login.live.com/oauth20_authorize.srf?client_id=client-id&scope=openid+profile+custom-scope&redirect_uri=https://localhost:7064/signin-oidc&response_type=code&state=...

  • I checked the clientId and the secret seems correct.
  • The redirect url is registered with the client
  • I get the login page and can put in my email but then I get the error

What am I missing?

Jester
  • 3,069
  • 5
  • 30
  • 44

0 Answers0