Share via

Application (client) id changed in the middle of an Entra hybrid flow

Ben Wilson 20 Reputation points
2024-07-11T13:25:21.9266667+00:00

My asp.net core web app uses Entra as its authentication provide. The grant flow type is a hybrid flow. The sign-in process returned an AADSTS50011 error, complaining that the redirect URI was not in the Enterprise App registration for this web app. However, the redirect URI in the message was wrong and contained an incorrect application (client) id. The web app has been working fine for months. There is no deployment or configuration change before this error.

I understand that the hybrid flow issues two requests to the authorize endpoints. Below are info I collected using Edge Developer tool. I only included relevant query parameters in my examples below.

The first request is like

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?

client_id=correct-app-registration-client-id

&response_type=code%20id_token

&redirect_uri=https%3A%2F%2Fwebapp1.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback

The developer tool shows that code and id_token are issued successfully and in the payload of the request https://webapp1.azurewebsites.net/.auth/login/aad/callback

Then, the second request to the authroize endpoint strangely has the incorrect client id.

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?

client_id=wrong-app-registration-client-id

&response_type=code

&redirect_uri=https%3A%2F%2Fwebapp1.azurewebsites.net%2Fsignin-oidc

I do own the app registration associated with the wrong client id. But at Azure web app service page, there is only one place for me to specify authentication/identity provider. Besides, my web app uses boiler-plate codes for authentication in program.cs and does not have any code interfering with the grant flow. Here are relevant codes I used for enabling authentication.

using Microsoft.AspNetCore.Authentication.OpenIdConnect;

using Microsoft.Identity.Web;

using Microsoft.Identity.Web.UI;

var builder = WebApplication.CreateBuilder(args);

var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ') ?? builder.Configuration["MicrosoftGraph:Scopes"]?.Split(' ');

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))

.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)

.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))

.AddInMemoryTokenCaches();

builder.Services.AddAuthorization(o =>

{

o.AddPolicy("IsUser", o => o.RequireRole("Role.User"));

o.AddPolicy("IsManager", o => o.RequireRole("Role.Manager"));

o.DefaultPolicy = o.GetPolicy("IsUser")!;

o.FallbackPolicy = o.DefaultPolicy;

});

I thought that the entire hybrid flow is controlled by the package and the Entra platform. I do not know any way the client id can be manipulated in the middle of the flow. I tested in Edge InPrivate but got the same result.

Thank you.

Best regards,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,228 questions
Accepted answer
  1. Akhilesh Vallamkonda 10,325 Reputation points Microsoft Vendor
    2024-07-12T13:51:21.7933333+00:00

    Hi @Ben Wilson

    Thank you for reaching us!
    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    The main difference between Microsoft.AspNetCore.Authentication.OpenIdConnect and Easy Auth comes down to the level of control and customization they provide for authentication in your ASP.NET Core application.

    Microsoft.AspNetCore.Authentication.OpenIdConnect is a middleware component that gives you deep integration with the OpenID Connect authentication protocol, it provides more fine-grained control over the authentication process in your ASP.NET Core application. With OpenID Connect, you can customize the authentication flow, handle additional claims and tokens, and integrate with other OpenID Connect providers. it offers various customization options to fit different authentication scenarios.

    EasyAuth is an easy method of using one or more authentication providers with a Web App, Mobile App or API App in Azure App Service, it reduces the time and effort required to implement and maintain authentication in your app.

    Reference: https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.openidconnect?view=aspnetcore-8.0
    https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization?WT.mc_id=easyauth-github-marouill

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.