Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IDX40001: Issuer: 'https://tenantname.b2clogin.com/tenantId/v2.0/', does not match any of the valid issuers provided for this application. #51005

Closed
1 task done
akhanalcs opened this issue Sep 29, 2023 · 6 comments
Assignees
Labels
area-identity Includes: Identity and providers bug This issue describes a behavior which is not expected - a bug.
Milestone

Comments

@akhanalcs
Copy link

akhanalcs commented Sep 29, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Experience setting up Auth using Azure AD B2C in a .NET 8 Blazor Web App has been very painful.
The docs are all over the place. Had to piece together information from so many places and still couldn't make it work. 😩


Problem

I've been trying to setup my .NET 8 Blazor Web App (Server side) to connect to Azure AD B2C to log in users and call a secured API.
I have pieced together instructions mostly from here, here and here.

The web app launches, takes me to the login page and lets me enter my credentials:

After I hit "Sign In", it just keeps on spinning and spinning on this url:

https://munsonpickles3.b2clogin.com/munsonpickles3.onmicrosoft.com/b2c_1_signupsignin/oauth2/v2.0/authorize?client_id=171b3d8f-8ff1-48b7-a5be-31b0413929ee&redirect_uri=https%3A%2F%2Flocalhost%3A7032%2Fsignin-oidc&response_type=code&scope=openid%20profile%20offline_access%20https%3A%2F%2Fmunsonpickles3.onmicrosoft.com%2Fmunson-api%2Fread&code_challenge=abcDe8FGl6jNrCyWPls56yaKjYuohGtD6vUpSgJe6nA&code_challenge_method=S256&response_mode=form_post&nonce=638123410660191340.YjRmNjYkOTOtN2IkNi00YzgxLTg0ZGEtMTRjNTIxZjcxOWJhMzYwZDk1ZDItOGIxNy00NTRiLThiMzgtOWM2MmVkZTlhYjc1&client_info=1&x-client-brkrver=IDWeb.2.14.0.0&state=CfDJ8L8UGyfUjDBErg6qYS34nXD3E0mLxkSA-InrXSkiEcmt8_eHquvuIC-GnidwO47o_SdGzL58675xXvBYP49rsnKjKti0bUUM1FvXyK5N7-AnYGdzo9SqoahAP5Ps7ykpi93LFX-Uis3xf068-S61dmuEn-8FmIKR3TOxzYJrKxAbG6dbymelCxbJ8xpESofmPRBQ9yKCi4flT8yTOFBtOszKtg2GTmxy9MMeX3edKDxpuTniV4YNXzzw-NpSL7DRHRLYSpbrOasGhk_dUrY0WWL3CY_43FmiKUSLiO60JheXpqYL_D53MA6nf0InABDhmkBNroqZgo7Qnv2hpgXSefZOLNgWkdcyTY8Pe-ZvCPX0ncBfkgqFFmQCNjXip-j0PnjRDLgHlldx70qi9ecSKdXgqvuW8a17QjrrEDAHUSCU&x-client-SKU=ID_NET8_0&x-client-ver=7.0.0.0

And ultimately ends up like this on the redirect url (notice the amount of cookies it tried to set which gets too long and runs into 431 error):

The console of my IDE shows this error:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX40001: Issuer: 'https://munsonpickles3.b2clogin.com/f6c04159-d728-43cd-8ae1-c1f3793844d5/v2.0/', does not match any of the valid issuers provided for this application.

I then checked all the config in my appsettings.json which seems to match what's in the App registration in my AADB2C directory.

  "AzureAdB2C": {
    "Instance": "https://munsonpickles3.b2clogin.com/",
    "Domain": "munsonpickles3.onmicrosoft.com",
    "ClientId": "12345d8f-8ff1-48b7-a5be-31b041312345",
    "CallbackPath": "/signin-oidc",
    "ClientSecret": "12345~6MzNJ3yk.YTq9iP51R1niJFWuxaGx12345",
    "SignedOutCallbackPath": "/signout/B2C_1_SignUpSignIn",
    "SignUpSignInPolicyId": "B2C_1_SignUpSignIn",
    "ResetPasswordPolicyId": "",
    "EditProfilePolicyId": ""
  }

The redirect urls are also set correctly:

I ran the flow by pointing the redirect url to jwt.ms, and looked at the Issuer which is the same one that the app is complaining about:

Issuer: 'https://munsonpickles3.b2clogin.com/f6c04159-d728-43cd-8ae1-c1f3793844d5/v2.0/', does not match any of the valid issuers provided for this application.

I have followed all the steps by going through all the docs I could find, but after spending 2 days on this, I think I need help.

Please take a look at my full source code to see if you can find something.

Expected Behavior

The app should connect to Azure AD B2C, authenticate the user, get the token, log in the user and redirect to homepage.

Steps To Reproduce

Full Source Code:
https://github.com/affableashish/blazor-server-aadb2c

There are 2 projects: one created on net7.0 and the other on net8.0. The net7.0 project works fine. As for net8.0 project, you can hook up your own AD B2C info in its appsettings.json and give it a try which will fail with the error I've reported here.

Exceptions (if any)

fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX40001: Issuer: 'https://munsonpickles3.b2clogin.com/f6c04159-d728-43cd-8ae1-c1f3793844d5/v2.0/', does not match any of the valid issuers provided for this application. 
fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[17]
      Exception occurred while processing message.
      Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX40001: Issuer: 'https://munsonpickles3.b2clogin.com/f6c04159-d728-43cd-8ae1-c1f3793844d5/v2.0/', does not match any of the valid issuers provided for this application. 
         at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
         at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

.NET Version

8.0.100-preview.7.23376.3

PII Logs

info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10242: Security token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsiLCJ0eXAiOiJKV1QifQ.eyJ2ZXIiOiIxLjAiLCJpc3MiOiJodHRwczovL211bnNvbnBpY2ts12345mIyY2xvZ2luLmNvbS9mNmMwNDE1OS1kNzI4LTQzY2QtOGFlMS1jMWYzNzkzODQ0ZDUvdjIuMC8iLCJzdWIiOiJjMDg1NTY2My02NjBiLTQ0YTEtOTkwNC00MzM5ZjVlNWU5YTIiLCJhdWQiOiIxNzFiM2Q4Zi04ZmYxLTQ4YjctYTViZS0zMWIwNDEzOTU1ZWUiLCJleHAiOjE2OTYwMj12345sIm5vbmNlIjoiNjM4MzE2MTYxODUxNzIwNjIwLk9UUmtNR0V5WTJRdFlUazROQzAwTjJRMUxUZzVZalV0TnpobU5EZ3dZekZsTlRRM1pHRmpNbVkxT1RRdE9XWTJOaTAwTWpaaUxUaGxaREF0WVRnd1pUYzBNekk0TVdGbCIsImlhdCI6MTY5NjAxOTM4NSwiYXV0aF90aW1lIjoxNjk2MDE5Mzg1LCJjb3VudHJ5IjoiVW5pdGVkIFN0YXRlcyIsIm5hbWUiOiJBc2hpc2ggS2hhbmFsIiwidGZwIjoiQjJDXzFfU2lnblVwU2lnbkluIiwibmJmIjoxNjk2MDE5Mzg1fQ' has a valid signature.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10234: Audience Validated.Audience: '12345d8f-8ff1-48b7-a5be-31b041312345'
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX40001: Issuer: 'https://munsonpickles3.b2clogin.com/f6c04159-d728-43cd-8ae1-c1f3793844d5/v2.0/', does not match any of the valid issuers provided for this application. 
fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[17]
      Exception occurred while processing message.
      Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX40001: Issuer: 'https://munsonpickles3.b2clogin.com/f6c04159-d728-43cd-8ae1-c1f3793844d5/v2.0/', does not match any of the valid issuers provided for this application. 
         at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
         at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

Anything else?

Also asked a Stack Overflow question about this.

@dotnet-issue-labeler dotnet-issue-labeler bot added the area-blazor Includes: Blazor, Razor Components label Sep 29, 2023
@akhanalcs
Copy link
Author

akhanalcs commented Sep 29, 2023

Hi @danroth27 ,
Could you please help with this issue?


Update 9/29/23:

Looks like the problem is with .NET 8 Blazor app.

I created a brand new Blazor Server project with this CLI command:
dotnet new blazorserver -au IndividualB2C -o blazor.server.net7 which created my project in net7.0. I then hooked up my B2C to it and it all worked fine ✨.

Full source code here:
https://github.com/affableashish/blazor-server-aadb2c/tree/main/blazor.server.net7

But when I changed it to .NET 8, I ran into this error:

I then wanted to create a new net8.0 project using a similar command to get the auth setup for me (-au IndividualB2C) but looks like it doesn't exist for .NET 8 yet:

Also Visual Studio Version 17.8.0 Preview 2.0 doesn't present any window to choose Authentication type.

So I created a new net8.0 project using Rider (I'm on a Mac).
I added the necessary nuget packages and copied Auth setup from the net7.0 project.
The issue persists.

Full source code here:
https://github.com/affableashish/blazor-server-aadb2c/tree/main/blazor.server.net8

@dieterdp
Copy link

dieterdp commented Oct 1, 2023

Hello

I have the same problem, migrating a .NET 7 to .NET 8 RC, using Rider on Mac. Same problem when i use VSCode to start the application. After logging in i get the following message in my API project:

Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX40001: Issuer: 'https://....b2clogin.com/......./v2.0/', does not match any of the valid issuers provided for this application.

Dieter

@ashsubedi
Copy link

@affableashish I'm also facing the same issue

@mkArtakMSFT mkArtakMSFT added area-identity Includes: Identity and providers bug This issue describes a behavior which is not expected - a bug. and removed area-blazor Includes: Blazor, Razor Components labels Oct 10, 2023
@mkArtakMSFT mkArtakMSFT added this to the 8.0.0 milestone Oct 10, 2023
@kijanawoodard
Copy link

I believe this is a .net 8 specific issue, but I think I have a workaround.

Tl;dr - set the IssuerValidator

Insecure, but hopefully quite temporary implementation (accepts any issuer):

services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
    {
        options.TokenValidationParameters.IssuerValidator = (string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) => issuer;
    });

More robust version in the code linked below:

AzureAD/microsoft-identity-web#168 (comment)

led to

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-2-AnyOrg#how-to-restrict-users-from-specific-organizations-from-signing-in-your-web-app

@halter73
Copy link
Member

I submitted a PR to fix this at AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2361. In the meantime, another workaround is the following to go back to pre-.NET 8 behavior:

builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    options.UseSecurityTokenValidator = true;
});

There's a breaking change announcement at aspnet/Announcements#508 that list this as one of the workarounds, but this was not a scenario that should have broken.

@akhanalcs
Copy link
Author

@halter73 Thank you!

mkArtakMSFT added a commit that referenced this issue Oct 18, 2023
…kages to the latest patch release (7.0.3 & 2.15.2) (#51430)

# Update the Microsoft.IdentityModel.* and Microsoft.Identity.Web.* packages to the latest patch release (7.0.3 & 2.15.2)

Update the reference to the Microsoft.IdentityModel.* and Microsoft.Identity.Web.* packages so that we don't regress AAD authentication scenarios for web apps.

## Description

We've hit an issue with AAD authentication in ASP.NET Core web apps, which was resulting in errors during login. This was due to an issue in the IdentityModel package, for which @halter73 has proposed a fix: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2361
The Identity team has approved the fix and has released a new package to NuGet so that we can update our dependency and **avoid the regression in 8.0**.

Please note, that this change will have to include the soure-build change as well: dotnet/source-build-externals#228

Fixes #51005

## Customer Impact

Customers who will try to use AAD authentication for their ASP.NET Core web applications in 8.0 will fail to login.

## Regression?

- [x] Yes
- [ ] No

This was technically an existing bug, which was already in the IdentityModel package, however only after a recent change #49542 the issue has surfaced impacting 8.0 apps.
 
## Risk

- [ ] High
- [ ] Medium
- [x] Low

From our point of view this is a dependency update. And the dependency has taken only a targeted fix to avoid the bug, going through all the necessary validation on the AAD side.

## Verification

- [x] Manual (required)
- [ ] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

----

## When servicing release/2.1

- [ ] Make necessary changes in eng/PatchConfig.props

---------

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: Stephen Halter <halter73@gmail.com>
renovate bot added a commit to orso-co/Orso.Arpa.Api that referenced this issue Oct 20, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[System.IdentityModel.Tokens.Jwt](https://togithub.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet)
| `7.0.2` -> `7.0.3` |
[![age](https://developer.mend.io/api/mc/badges/age/nuget/System.IdentityModel.Tokens.Jwt/7.0.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/nuget/System.IdentityModel.Tokens.Jwt/7.0.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/nuget/System.IdentityModel.Tokens.Jwt/7.0.2/7.0.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/nuget/System.IdentityModel.Tokens.Jwt/7.0.2/7.0.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>

<summary>AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
(System.IdentityModel.Tokens.Jwt)</summary>

###
[`v7.0.3`](https://togithub.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/HEAD/CHANGELOG.md#703)

[Compare
Source](https://togithub.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/7.0.2...7.0.3)

\======

##### Bug Fixes:

- Fix errors like the following reported by multiple customers at
[dotnet/aspnetcore#51005](https://togithub.com/dotnet/aspnetcore/issues/51005)
when they tried to upgrade their app using `AddMicrosoftIdentityWebApp`
to .NET 8. See
[PR](https://togithub.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2361)
for details.
- Fix compatibility issue with 6x when claims are a bool. See issue
[#&#8203;2354](https://togithub.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2354)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 10pm every weekday,every
weekend,before 5am every weekday" in timezone Europe/Berlin, Automerge -
At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/orso-co/Orso.Arpa.Api).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6ImRldmVsb3AifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@ghost ghost locked as resolved and limited conversation to collaborators Nov 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-identity Includes: Identity and providers bug This issue describes a behavior which is not expected - a bug.
Projects
None yet
Development

No branches or pull requests

6 participants