Reputation: 2026
Why do my Admin controllers trigger OnRemoteFailure in ConfigureOpenIdConnectOptions when using custom authentication policies?
I am configuring authentication and authorization in an ASP.NET Core application using both OpenIdConnect and Microsoft Identity. The goal is to make the frontend controllers for my site use the OpenIdConnect (IdentityServer4) and the admin controllers use AzureAd. Here's a summary of my setup:
In Startup.cs, I have configured authentication and authorization as follows:
services.AddSingleton<IConfigureOptions<OpenIdConnectOptions>, ConfigureOpenIdConnectOptions();
services.AddSingleton<IConfigureOptions<MicrosoftIdentityOptions>, ConfigureAzureAdConnectOptions>();
AuthenticationBuilder authBuilder = services.AddAuthentication(options =>
{
options.DefaultScheme = "IS4Cookies";
options.DefaultChallengeScheme = "SigmaSSO";
});
authBuilder.AddCookie("IS4Cookies"); // Add a cookie handler
authBuilder.AddOpenIdConnect("SigmaSSO", null);
authBuilder.AddMicrosoftIdentityWebApp(Configuration, "AzureAd", "EntraIdOIDC", "EntraId", true);
services.AddAuthorization(options =>
{
options.AddPolicy("AdminSection", policy =>
{
policy.AddAuthenticationSchemes("EntraIdOIDC");
policy.RequireAuthenticatedUser();
policy.RequireRole(new List<string>{"PlusAdminUser"});
});
options.AddPolicy("FrontEnd", policy =>
{
policy.AddAuthenticationSchemes("SigmaSSO");
policy.RequireAuthenticatedUser();
});
});
I also have this event configured in ConfigureOpenIdConnectOptions:
options.Events = new OpenIdConnectEvents()
{
OnRemoteFailure = ctx =>
{
ctx.HandleResponse();
ctx.Response.Redirect("/");
return Task.FromResult(0);
}
};
For my controllers, I have the following attributes:
Admin Controllers:
[Area("Admin")]
[Authorize(Policy = "AdminSection")]
Frontend Controllers:
[Area("Admin")]
[Authorize(Policy = "FrontEnd")]
ConfigureAzureAdConnectOptions only contains basic information as such:
options.Instance = "https://login.microsoftonline.com/";
options.Domain = "azure-domain-here";
options.TenantId = "someguid";
options.ClientId = "some-other-guid";
options.CallbackPath = "/signin-oidc";
options.SignInScheme = "AzureCookies";
options.Scope.Add("openid");
The problem I'm encountering is that when I access any of my Admin controllers, the OnRemoteFailure event is triggered from the ConfigureOpenIdConnectOptions class, which causes a redirect to the homepage.
I expect this event to trigger only on OpenID Connect-related failures, but it is happening consistently when accessing admin routes.
Why are my Admin controllers triggering the OnRemoteFailure event from ConfigureOpenIdConnectOptions? How can I prevent this behavior and ensure it only triggers on legitimate OpenID Connect failures?
Additional Information:
- I am using ASP.NET Core 8.0.
- The "AdminSection" policy is configured to use the EntraIdOIDC scheme, which I believe should map to Azure AD authentication.
- The "FrontEnd" policy uses the SigmaSSO OpenID Connect scheme.
Upvotes: 0
Views: 116
Answers (0)
Related Questions
- Why is it important to override GetHashCode when Equals method is overridden?
- .NET Core 3.1 custom ClaimsPrincipal not working correctly with AddAuthenticationSchemes policy
- Using multiple authentication providers in C# .net core
- How add two different tokens in ASP.NET Core Web API
- Policy based authentication with OKTA OpenIdConnect
- How to Validate OpenID Connect Access Token generated by Azure AD v2 in ASP.NET core WEB API?
- How to bypass AzureAD authentication using OpenID and Owin middleware for Web API 2 controller within ASP.NET MVC project
- Implemeting Authentication using OpenId Connect implementation for Azure AD?