ADB2C SSO giving ASPNETCORE ENV error when trying to sign in. [Bug]

[KurtDebzz]

Which version of Microsoft Identity Web are you using?

Microsoft Identity Web 1.1.0

Where is the issue?

• Web app
  • Sign-in users
  • Sign-in users and call web APIs
• Web API
  • Protected web APIs (validating tokens)
  • Protected web APIs (validating scopes)
  • Protected web APIs call downstream web APIs
• Token cache serialization
  • In-memory caches
  • Session caches
  • Distributed caches
• Other (please describe)

Is this a new or an existing app?

This is a new app or an experiment.

I have been experimenting with ADB2C using .NET Core, in order to implement it in our company's future products, however, I came across this issue. I mistakenly misconfigured my app so that it uses Auth Code Flow without ticking the ID Token / Access Token from the portal, and obviously, it didn't work. What is confusing about this is that I was getting redirecting by /signin-oidc endpoint to an error page which is managed by Microsoft Identity Web - */MicrosoftIdentity/Account/Error. The error that was displayed by this error page is completely misleading and I spent hours debugging both my application and Azure's configuration before I eventually found out what the problem is.

The error that was being displayed is:

When I checked the launchsettings.json, everything was set-up correctly, as it can be seen below:

{
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:21020",
      "sslPort": 44330
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development",
        "ASPNETCORE_HOSTINGSTARTUPASSEMBLIES": "Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation"
      }
    },
    "WebApplication3": {
      "commandName": "Project",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Production",
        "ASPNETCORE_HOSTINGSTARTUPASSEMBLIES": "Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation"
      },
      "dotnetRunMessages": "true",
      "applicationUrl": "https://localhost:5001;http://localhost:5000"
    }
  }
}

I was able to view the actual issue by going to my Network and in the form data being passed by the signin-oidc endpoint, there was an exception that was being thrown by ADB2C itself.

Expected behavior
I expected that the error message would be clearly explained by ADB2C instead of it being hidden the way it is currently. I understand that this might be a security concern, however, the error message does not help in identifying what the issue is. So something along the lines of "An ADB2C configuration exception has occurred" would have been a great help here.

Actual behavior
An incorrect error is being displayed instead.

Error:
An error occurred while processing your request.
Development Mode
Swapping to Development environment will display more detailed information about the error that occurred.
Development environment should not be enabled in deployed applications, as it can result in sensitive information from exceptions being displayed to end users. For local debugging, development environment can be enabled by setting the ASPNETCORE_ENVIRONMENT environment variable to Development, and restarting the application.

Is there something that could have been done from my end or is this simply an issue, and if so are there any plans on this being fixed at any point?

[jennyf19]

@Tratcher suggestions on how we can improve this? If in development mode, the error message is clear, and the page can be overridden, but for a default, out-of-the-box, prod message, is there something better we can do?

[Tratcher]

The production error page intentionally does not discuss implementation details like this for the reasons it says above. The error would have still been reported in the server logs though. The error page should mention checking the server logs before it recommends enabling development mode. I'll file an issue for that. (dotnet/aspnetcore#33055)

[KurtDebzz]

So if this happens again in the future, the error message should indicate that there was an issue from ADB2C or otherwise? And in what version should I expect this to work, please?

[jmprieur]

@Kuhnsta : in 1.12.0 (see Milestone)

[danielwgrech]

I think the actual problem here is that the page reported by @KurtDebzz is displayed even when the environment is "Development". It's like the same message is always displayed, regardless whether the environment is Development or Production. It does not seem to be reading the ASPNETCORE_ENVIRONMENT value correctly.

[jennyf19]

@danielwgrech I don't see it when in Development, only when in Production. Both web app and web API need to be in Development in the launch settings. Can you share yours where you are able to repro this? Regardless we'll still update the error message. thx.

[danielwgrech]

@jennyf19 can you please share a screenshot of what you see instead of that page when you have a Development environment? Also, any easy hint on how to screw up our ADB2C integration on purpose to generate the issue? @KurtDebzz will be sharing the sample project once he manages to regenerate the issue. Thanks!

[KurtDebzz]

@jennyf19 I have been able to generate this issue by inserting an incorrect ClientSecret value in my appsettings.json file. This had the same behavior as the one explained above with the sole difference that no error message was being sent in the form data of the /signin-oidc endpoint.

launchSettings.json

Error page - Url: localhost/MicrosoftIdentity/Account/Error

You can also view this project by going to https://github.com/KurtDebzz/ADB2CWebApp.

[jmprieur]

@jennyf19 I'll leave this one open for the moment.

[jmprieur]

@Tratcher : do you have any idea?

[Tratcher]

Are they hitting this code path?

microsoft-identity-web/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs

Line 95 in bba91c4

context.Response.Redirect($"{context.Request.PathBase}/MicrosoftIdentity/Account/Error");

[KurtDebzz]

Any updates on this, please?

[Ponant]

@Tratcher , yes

[Tratcher]

The ILoginErrorAccessor used to flow that message to the error page is somewhat complicated.

microsoft-identity-web/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs

Lines 93 to 95 in bba91c4

	_errorAccessor.SetMessage(context.HttpContext, message);
	context.Response.Redirect($"{context.Request.PathBase}/MicrosoftIdentity/Account/Error");

microsoft-identity-web/src/Microsoft.Identity.Web.UI/Areas/MicrosoftIdentity/Pages/Account/Error.cshtml

Lines 17 to 21 in 2729101

	@if (Model.Error.IsEnabled)
	{
	<h3>Details</h3>
	<p>@Model.Error.GetMessage(HttpContext)</p>
	}

microsoft-identity-web/src/Microsoft.Identity.Web.UI/Areas/MicrosoftIdentity/Pages/Account/Error.cshtml.cs

Line 43 in 2729101

public ILoginErrorAccessor Error { get; }

It also requires ITempDataDictionaryFactory

microsoft-identity-web/src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilderExtensions.cs

Lines 251 to 265 in 0e8a08d

	builder.Services.TryAddSingleton<ILoginErrorAccessor>(ctx =>
	{
	// ITempDataDictionaryFactory is not always available, so we don't require it
	var tempFactory = ctx.GetService<ITempDataDictionaryFactory>();
	var env = ctx.GetService<IHostEnvironment>(); // ex. Azure Functions will not have an env.
	if (env != null)
	{
	return TempDataLoginErrorAccessor.Create(tempFactory, env.IsDevelopment());
	}
	else
	{
	return TempDataLoginErrorAccessor.Create(tempFactory, false);
	}
	});

microsoft-identity-web/src/Microsoft.Identity.Web/TempDataLoginErrorAccessor.cs

Lines 24 to 31 in 0e8a08d

	if (!isDevelopment || factory is null)
	{
	return new EmptyLoginErrorAccessor();
	}
	else
	{
	return new TempDataLoginErrorAccessor(factory);
	}

ITempDataDictionaryFactory isn't registered unless you're using MVC
https://github.com/dotnet/aspnetcore/blob/b849efe77a282c4fd0baf460d68142d89a1b874d/src/Mvc/Mvc.ViewFeatures/src/DependencyInjection/MvcViewFeaturesMvcCoreBuilderExtensions.cs#L259
https://github.com/dotnet/aspnetcore/blob/b849efe77a282c4fd0baf460d68142d89a1b874d/src/Mvc/Mvc.ViewFeatures/src/DependencyInjection/MvcViewFeaturesMvcCoreBuilderExtensions.cs#L49

And the default implementation depends on cookies which can be temperamental in a sign-on flow due to issues like SameSite.
https://github.com/dotnet/aspnetcore/blob/b849efe77a282c4fd0baf460d68142d89a1b874d/src/Mvc/Mvc.ViewFeatures/src/DependencyInjection/MvcViewFeaturesMvcCoreBuilderExtensions.cs#L249
https://github.com/dotnet/aspnetcore/blob/b849efe77a282c4fd0baf460d68142d89a1b874d/src/Mvc/Mvc.ViewFeatures/src/CookieTempDataProviderOptions.cs#L21-L26

[Ponant]

The PR #1468 allows in version 1.18.0 to define an Microsoft.IdentityOptions.ErrorPath to override /MicrosoftIdentity/Account/Error. The same for an ResetPasswordPath.
It does not solve this issue completely , but it should help in decoupling the UI library from the Web one.

[jennyf19]

closing as mostly addressed by @Ponant in linked PR above.