Integration with asp.net core SSO with Single Tenant SPN

[ellio246t]

Sample

https://github.com/pnp/mgt-samples/tree/main/samples/app/msal2provider-asp-net-core-sso

Author(s)

@sebastienlevert

What happened?

I have followed the instructions in the sample with two deviations:

1. My SPN is a single tenant SPN
2. The client secret is not in app.config

The sdk controls never manage to display data from AAD and appear as empty or with a message no data found.
How can I get this to work with a single tenant SPN

App Registration

Here are the app permissions:

Client Secret

This is supplied in Program.cs after retrieving from key vault. SSO is working fine:
var secretClient = new SecretClient(new Uri(builder.Configuration.GetValue("KeyVault:VaultUri")), new DefaultAzureCredential());
var clientSecret = secretClient.GetSecret(builder.Configuration.GetSection("AzureAD").GetValue("ApplicationName"));
var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ') ?? builder.Configuration["MicrosoftGraph:Scopes"]?.Split(' ');

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(microsoftIdentityOptions =>
{
microsoftIdentityOptions.ClientId = builder.Configuration.GetSection("AzureAd").GetValue("ClientId");
microsoftIdentityOptions.Domain = builder.Configuration.GetSection("AzureAd").GetValue("Domain");
microsoftIdentityOptions.TenantId = builder.Configuration.GetSection("AzureAd").GetValue("TenantId");
microsoftIdentityOptions.Instance = builder.Configuration.GetSection("AzureAd").GetValue("Instance");
microsoftIdentityOptions.CallbackPath = builder.Configuration.GetSection("AzureAd").GetValue("CallbackPath");
microsoftIdentityOptions.ClientSecret = clientSecret.Value.Value;
microsoftIdentityOptions.GetClaimsFromUserInfoEndpoint = true;
})
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
.AddInMemoryTokenCaches();

MSAL2 Provider Initialization

This is happening in _layout.cshtml

@if (User.Identity.IsAuthenticated)
{


<script src="https://unpkg.com/@@microsoft/mgt@3/dist/bundle/mgt-loader.js"></script>
<script>
mgt.Providers.globalProvider = new mgt.Msal2Provider({
clientId: "@configuration["AzureAd:ClientId"]",
loginHint: "@User.Claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value",
redirectUri: "/sso.html",
authority: "https://login.microsoftonline.com/@Configuration["AzureAd:TenantId"]"
loginType: mgt.LoginType.Popup
});
</script>
}
If I inspect the html I see this the the header:

<script src="https://unpkg.com/@microsoft/mgt@3/dist/bundle/mgt-loader.js"></script>

--
  | <script>
  | mgt.Providers.globalProvider = new mgt.Msal2Provider({
  | clientId: "aa1c150d-0ab5-44ee-b1b3-48150574f0d1",
  | loginHint: "Philip.Elliott@**********.com",
  | redirectUri: "/sso.html",
  | authority: "https://login.microsoftonline.com/********-My-TenantId"
  | loginType: mgt.LoginType.Popup
  | });
  | </script>

SSS.html

This is added to wwwroot.

Steps to reproduce

1. Follow the tutorial as per above
   2.Add this to the home page @if (User.Identity.IsAuthenticated)
   {
   

   Signed in User:

    <mgt-people-picker></mgt-people-picker>
   

   }

2. Observe that no data from AAD is displayed.

Expected behavior

I expect to see the logged on user details and be able to search and pick users from AAD.
This is what I see:

Developer environment

None

Browsers

• Internet Explorer
• Microsoft Edge
• Google Chrome
• FireFox
• Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

asp.net core MVC web application hosted in Azure PaaS web app. Here's the project defintion:

netcoreapp6.0 enable enable

[sebastienlevert]

Can you provide a small repro that we could test it out? That would help us identify the right issues. Thanks! Also adding @gavinbarron as he's been the one fiddling around with this sample!

[gavinbarron]

Oh wow, you were so close to having this working @ellio246t

You're missing a comma at the end of the authority line where you set up the provider in the _Layout.cshtml and that's breaking your SSO flow.

When looking at the network requests in the browser your should see a chain of requests out to the login.microsoft.com site and redirecting back to the sso page if you have a valid config for your provider.

Additionally you should see any errors in the query string for the request to the sso page.

[ellio246t]

Thanks for your responses gentlemen. I fixed the missing comma but that must be issue 1 of N, the behaviour was unchanged. I've run a network trace and could see the chain of requests just as you described. SS0.html is called but the token request has failed:

I've created a stripped down version of the app I can share. If you fill in the app.config file and sort the client secret in program.cs it should run.
Web.zip

[ellio246t]

Hi
I investigated the bad request error some more. The actual error is:
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'https://localhost:7267'.
Trace ID: 6c70a7b3-a32e-41bc-8ade-882a242a0f00
Correlation ID: 9a858aed-9c1f-4a85-9c34-84951069aabb
Timestamp: 2023-09-13 07:40:57Z

So it seems the issue is to do the application registration but what specifically? I already mentioned that the app I'm using is configured as a single tenant app and that is the only thing (I know of) that deviates from the code sample instructions. Will the SDK work with a single tenant app registration and if so how do I configure it?

[gavinbarron]

When you register the app in AAD and add the redirect uri for the SSO page you must add it as the SPA type. It sounds like you might have added it as the web type.

…

On Wed, Sep 13, 2023, 12:59 AM ellio246t ***@***.***> wrote: Hi I investigated the bad request error some more. The actual error is: AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: ' https://localhost:7267'. Trace ID: 6c70a7b3-a32e-41bc-8ade-882a242a0f00 Correlation ID: 9a858aed-9c1f-4a85-9c34-84951069aabb Timestamp: 2023-09-13 07:40:57Z So it seems the issue is to do the application registration but what specifically? I already mentioned that the app I'm using is configured as a single tenant app and that is the only thing (I know of) that deviates from the code sample instructions. Will the SDK work with a single tenant app registration and if so how do I configure it? — Reply to this email directly, view it on GitHub <#9 (comment)> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWK6HDX2CO6VOES5MADLZ3X2FRV3BFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DKNBYGIYDINZQQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRRHA4DGOBRGAZTKM5HORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

[gavinbarron]

The authentication blade of the app registration should look like this:

[ellio246t]

I added a platform for SPO and now I can see the controls have started to work:

This is real progress. Thankyou so much!

I still have one final question for you:
In the image I am being prompted to ask my AD admin to approve API permissions. Read Presence of All users isn't granted yet but view user basic profile is. What is going on here? Is this more missing app registration config? I don't want users of the web app to see such prompts, how do I fix it?

[sebastienlevert]

To avoid users seeing this prompt, you'll have to do a global admin consent like here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal. This will approve the set of permissions you need for all the users in your tenant.

[ellio246t]

Is this in addition to the consent that has already been granted on app registration? Seems crazy this is required twice.

…

On Fri, Sep 15, 2023 at 3:46 PM Sébastien Levert ***@***.***> wrote: To avoid users seeing this prompt, you'll have to do a global admin consent like here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal. This will approve the set of permissions you need for all the users in your tenant. — Reply to this email directly, view it on GitHub <#9 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFL7X64LVWRYFZXGJKZKNBTX2RS5LANCNFSM6AAAAAA4NFTYHI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[gavinbarron]

The mechanics of app consent are not something we have control over. MGT is a user of the AAD/Entra services and we just have to live with their rules, I suspect what is happening here is that the admin is being asked to consent for all the requested scopes for the application, not just the additional one that requires admin approval.

As the integration between the sample and the single tenant application is now resolved I think we can close this issue. Please do re-open it, or raise a new issue if there are additional issues you face.