Reputation: 102398
app.UseWindowsAzureActiveDirectoryBearerAuthentication stopped working after upgrade from ADAL to MSAL
I'm running some tests with MSAL but unfortunately it's not working as expected.
I had all configured for an ASP.NET MVC (.net 4.6) + Angular 1.6 SPA application with ADAL and ADAL Angular. All worked just fine but then I decided to try MSAL.
My configured provider's OnValidateIdentity handler in Startup.Auth.cs was being hit correctly with ADAL and I could add additional claims:
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = async context =>
{
Now that I changed to MSAL for Angular JS, I'm getting the ID Token and the Access Token but my OnValidateIdentity handler is not being hit anymore.
Is using app.UseWindowsAzureActiveDirectoryBearerAuthentication still valid when using MSAL?
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
.
.
.
Upvotes: 3
Views: 2431
Answers (1)
Reputation: 871
MSAL is meant to be used with converged/v2.0 application registrations, while ADAL is usually meant to be used with v1.0 App registrations,
You should create a new application using the new portal in portal.azure.com if you're trying to migrate to the v2 endpoint. In addition to that these docs go over creating a v2.0 App Registration : https://learn.microsoft.com/en-us/graph/auth-register-app-v2
Please refer to this resource for more information on migrating from v1 to the v2 endpoint. https://azure.microsoft.com/en-gb/resources/samples/active-directory-dotnet-v1-to-v2/
In regards to the specifics of using app.UseWindowsAzureActiveDirectoryBearerAuthentication
// NOTE: The usual WindowsAzureActiveDirectoryBearerAuthenticaitonMiddleware uses a // metadata endpoint which is not supported by the v2.0 endpoint. Instead, this // OpenIdConenctCachingSecurityTokenProvider can be used to fetch & use the OpenIdConnect // metadata document.
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions { AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")), });
This is referenced from the startup.cs : https://github.com/AzureADQuickStarts/AppModelv2-NativeClient-DotNet/blob/a69a4cb41e821f0ea8dddc937ea401a03e2f49fe/TodoListService/App_Start/Startup.Auth.cs
Some more good reading that does a bit of a comparison between the v1/v2 sample apps can be found here : https://simonlamb.codes/2017/02/27/net332-introduction-to-authentication-on-azure-active-directory/
Upvotes: 3
Related Questions
- Angular application Msal requires login in a new tab
- Desktop app + Microsoft Authentication Error
- Cannot verify AAD token obtained via adal-angular4
- AdalAngular can work ncaught Error: [$injector:modulerr] with angularjs
- Angular4 azure active directory authentication using ng2-adal library fails when used with hash location strategy
- Azure Active directory (ADAL) doesn't redirect you to the page you are trying to open when you have to login
- Angular 2 /4 adal-angular4 active directory authenticate to API issue
- Can't authenticate with adal.js without angular
- Adal.js not triggering the authentication
- Angularjs doesn't authenticate with Azure Active Directory