Azure active directory and owin authentication

Question

Just faced an strange issue with azure ad applicationS and owin openid authentication. To reproduce the issue.

1.create a web app with azure ad authentication in vs 2015 choosing cloud app template .

2.let the standard code be as is.

3.let startup.auth as is.

4.Run the app on local it works fine.

5.now change code in startup àuth as follows

public partial class Startup
{
    private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
    private static string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
    private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
    private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
    private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];

    public static readonly string Authority = aadInstance + tenantId;

    // This is the resource ID of the AAD Graph API.  We'll need this to request a token to call the Graph API.
    string graphResourceId = "https://graph.windows.net";

    private static readonly log4net.ILog logger = log4net.LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);

    public void ConfigureAuth(IAppBuilder app)
    {
        ApplicationDbContext db = new ApplicationDbContext();

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        logger.Debug("SetDefaultSignInAsAuthenticationType called");
        //app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseCookieAuthentication(
        new CookieAuthenticationOptions
        {
            Provider = new CookieAuthenticationProvider
            {
                OnResponseSignIn = ctx =>
                {
                    //logger.Debug("OnResponseSignIn called");
                    ////ctx.Identity = TransformClaims(ctx.Identity);
                    //logger.Debug("TransformClaims called");
                }
            }
        });

app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = Authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                   AuthorizationCodeReceived = (context) =>
                   {
                       var code = context.Code;
                       ClientCredential credential = new ClientCredential(clientId, appKey);
                       string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                       logger.Debug("OnResponseSignIn called");
                       logger.Debug("signedInUserID =" + signedInUserID);
                       TransformClaims(context.AuthenticationTicket.Identity);
                       logger.Debug("TransformClaims called");
                       AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
                       AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                       code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);



                       return Task.FromResult(0);
                   },



                    // we use this notification for injecting our custom logic
                    SecurityTokenValidated = (context) =>
                    {
                        logger.Debug("SecurityTokenReceived called");
                        //TransformClaims();  //pass the identity
                        return Task.FromResult(0);
                    },


                }
            });
    }


    private static void TransformClaims(System.Security.Claims.ClaimsIdentity identity)
    {
        if (identity != null && identity.IsAuthenticated == true)
        {
            var usserobjectid = identity.FindFirst(ConfigHelpers.Azure_ObjectIdClaimType).Value;
                ((System.Security.Claims.ClaimsIdentity)identity).AddClaim(new System.Security.Claims.Claim("DBID", "999"));
                ((System.Security.Claims.ClaimsIdentity)identity).AddClaim(new System.Security.Claims.Claim("Super","True"));
        }

        // return identity;
    }

}

6.Run the app on local it will work perfect.

7.Deploy the app on azure websites and the startup àuth owin notification methods will never be called.however app works but identity transformation not

Can somebody help out what's wrong with this is azure ad apps doesn't support cookies or notification not firing or anything wrong with code.

Just to re-assert else than startup.àuth no standard code is changed.

Answer 1

I know this is a bit old, but I had exactly the same issue recently and spent hours trying to understand why it wouldn't work in Azure but it worked absolutely fine in my localhost.

This is basically a configuration issue: in portal.azure.com select your app and then go to settings > authentication / authorisation and make sure that app service authentication is OFF.

It turns out that this setting will take over your startup.auth settings.

I have to give full credit to Vittorio Bertocci as pointed that out to me.