Unable to use multiple OpenId authentication options using AddMicrosoftIdentityWebApp

[wmmihaa]

I have an web app which needs to support authentication using multiple AAD's, but if I add more than one every challange gets routed to the same login provider (the last added in ConfigureServices).

appsettings.json:

  "azuread1": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "azuread1.onmicrosoft.com",
    "TenantId": "xxxxx",
    "ClientId": "xxxxxx",
    "ClientSecret": "xxxxx",
    "CallbackPath": "/signin-oidc/azuread1",
    "SignedOutCallbackPath": "/signout-callback-oidc"
  },
 "azuread2": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "azuread2.onmicrosoft.com",
    "TenantId": "yyyyy",
    "ClientId": "yyyyy",
    "ClientSecret": "yyyyy",
    "CallbackPath": "/signin-oidc/azuread2",
    "SignedOutCallbackPath": "/signout-callback-oidc"
  },

Startup.cs:

services.AddAuthentication()
    .AddMicrosoftIdentityWebApp(Configuration.GetSection("azuread1"), "azuread1", null);

services.AddAuthentication()
    .AddMicrosoftIdentityWebApp(Configuration.GetSection("azuread2"), "azuread2", null);

ExternalLoging.cshtml.cs (from skaffolding)

public IActionResult OnPost(string provider, string returnUrl = null)
{
    var redirectUrl = Url.Page("./ExternalLogin", pageHandler: "Callback", values: new { returnUrl });
    var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
    return new ChallengeResult(provider, properties);
}

Scenarios (To Reproduce)

When running the application and logging in I get to select from two OpenIdConnect buttons (which is sad that I can't set the display name but that is an other story).

• Logging in using the azuread1 provider using a azuread1 account - FAILS as the account is not available in the azuread1 AAD (I will always get routed to azuread2).
• Logging in using the azuread2 provider using a azuread1 account - FAILS as the account is not available in the azuread1 AAD.
• Logging in using the azuread1 provider using a azuread2 account -WORKS which is kinda weird.
• Logging in using the azuread1 provider using a azuread2 account -FAILS.

I've made short video to better explain the scenario and issue.
https://youtu.be/SSuciNOnt-0

Further technical details

• ASP.NET Core version: 5.0 & 3.1
• Include the output of dotnet --info

❯ dotnet --info
.NET SDK (reflecting any global.json):
 Version:   5.0.103
 Commit:    72dec52dbd

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19041
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\5.0.103\

Host (useful for support):
  Version: 5.0.3
  Commit:  c636bbdc8a

.NET SDKs installed:
  2.1.202 [C:\Program Files\dotnet\sdk]
  2.1.509 [C:\Program Files\dotnet\sdk]
  2.1.513 [C:\Program Files\dotnet\sdk]
  2.1.805 [C:\Program Files\dotnet\sdk]
  2.2.109 [C:\Program Files\dotnet\sdk]
  3.1.100 [C:\Program Files\dotnet\sdk]
  5.0.102 [C:\Program Files\dotnet\sdk]
  5.0.103 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.All 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.25 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.25 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.17 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.25 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.12 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

• The IDE: VS 2019 (16.8.6)

[Tratcher]

@jmprieur? From the outside this setup looks fine.

[wmmihaa]

looks fine.

??

[blowdart]

You've already raised this in the right place in the identity-web repo.

[jmprieur]

Thanks @Tratcher @blowdart
@wimmihaa this will be covered by https://github.com/AzureAD/microsoft-identity-web/issues

[blowdart]

Closing as external