Web App Easy Auth with OIDC Provider: Difference between Windows and Linux

Question

Web App Easy Auth with OIDC Provider: Difference between Windows and Linux

Kentaro Inomata 31

I am configuring Easy Auth with OIDC Provider on Web App Linux, and on Web App Windows for comparison.

As far as I understand, there is no way to specify the scopes.

When Linux, it doesn't work well.
Specifically, When I access the linux web site, Easy Auth returns HTTP 302 as below.

HTTP/1.1 302 Found  
Location: https://kinomata1bc2.b2clogin.com/kinomata1bc2.onmicrosoft.com/b2c_1_singup_signin/oauth2/v2.0/authorize?response_type=code&client_id=83635a3e-ca10-4e24-95ba-05873ea8e327&redirect_uri=https%3A%2F%2Fmsdn-kinomata1-linux.azurewebsites.net%2F.auth%2Flogin%2Faadb2c%2Fcallback&nonce=d4d3551f04654fcfa62a5ee18686b1d8_20220214015424&state=%2F

Then an OIDC provider refuses the access for the lack of a scope parameter.

{"code":401,"message":"An error of type 'invalid_request' occurred during the login process: 'AADB2C90010: The request does not contain a scope parameter.\r\nCorrelation ID: 2833db73-795f-4447-b9a2-bdcff752df90\r\nTimestamp: 2022-02-14 01:49:26Z\r\n'"}

When Windows, it works as expected.

HTTP/1.1 302 Redirect  
Location: https://kinomata1bc2.b2clogin.com/kinomata1bc2.onmicrosoft.com/b2c_1_singup_signin/oauth2/v2.0/authorize?response_type=code&client_id=f182113d-65a6-431e-bda4-8c53136a59b8&redirect_uri=https%3A%2F%2Fmsdn-kinomata1-windows.azurewebsites.net%2F.auth%2Flogin%2Faadb2c%2Fcallback&nonce=c6de6dd3a0ed4a0eaf4d3c4f1b25417e_20220214015834&state=redir%3D%252F&scope=openid+profile+email

Kentaro Inomata 31 Reputation points

2022-02-14T06:43:54.07+00:00
I found a workaround to set the scope parameter.

Go to Resource Explorer and update /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Web/sites/xxx/config/authsettingsV2 as below.

{ "properties": { "identityProviders": { "customOpenIdConnectProviders": { "aadb2c": { "login": { "scopes": [ "openid", "offline_access", "email", "profile" ] } } } } } }

I never believe that it should be needed by default -- I expect it just like Web Apps Windows.
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2022-02-14T07:54:24.917+00:00

@Kentaro Inomata , Thanks for posting this great question and following-up to share your findings.

As mentioned in this doc - "For Linux apps, There's a temporary requirement to configure a versioning setting for the back-end app registration. In the Cloud Shell, configure it with the following commands. Be sure to replace <back-end-client-id> with your back end's client ID. "

I'll also relay your feedback to our product engineering team. Thanks for your feedback and patience. It's much appreciated.
Kentaro Inomata 31 Reputation points

2022-02-14T08:48:40.043+00:00

Hi @Anonymous ,

The doc says

openid, profile, and email are requested by App Service by default already.

But in my case, the scope parameter is not requested, as I posted first. I suspect that it is a regression.

Best,
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2022-02-14T17:32:53.063+00:00

KentaroInomata-4553, Thanks for the additional details. I'm checking on this internally and will get back to you shortly.
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2022-02-14T19:30:44.107+00:00

KentaroInomata-4553, Also, we noticed that this is an Azure AD B2C tenant. Rather than using OIDC, I would suggest you to try using the Microsoft identity provider, as described here. The Microsoft identity provider has special knowledge of B2C and would work better (as per your requirement).

Just as a side note, [above] I have shared a third party blog, just for your reference, please exercise caution when using 3rd party sites.
Kentaro Inomata 31 Reputation points

2022-02-14T22:42:19.333+00:00

Hi ajkuma,

Thank you for your suggestion, but I am going to save this as the last workaround: For some reasons, I am using Auth0 rather than ADB2C for now.

I would be glad if Microsoft advocates me following open standards.

Best,

Accepted answer

0 additional answers

Your answer

Kentaro Inomata 31 Reputation points

2022-02-14T06:43:54.07+00:00

I found a workaround to set the scope parameter.

Go to Resource Explorer and update /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Web/sites/xxx/config/authsettingsV2 as below.

{ "properties": { "identityProviders": { "customOpenIdConnectProviders": { "aadb2c": { "login": { "scopes": [ "openid", "offline_access", "email", "profile" ] } } } } } }

I never believe that it should be needed by default -- I expect it just like Web Apps Windows.
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2022-02-14T07:54:24.917+00:00

@Kentaro Inomata , Thanks for posting this great question and following-up to share your findings.

As mentioned in this doc - "For Linux apps, There's a temporary requirement to configure a versioning setting for the back-end app registration. In the Cloud Shell, configure it with the following commands. Be sure to replace <back-end-client-id> with your back end's client ID. "

I'll also relay your feedback to our product engineering team. Thanks for your feedback and patience. It's much appreciated.
Kentaro Inomata 31 Reputation points

2022-02-14T08:48:40.043+00:00

Hi @Anonymous ,

The doc says

openid, profile, and email are requested by App Service by default already.

But in my case, the scope parameter is not requested, as I posted first. I suspect that it is a regression.

Best,
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2022-02-14T17:32:53.063+00:00

KentaroInomata-4553, Thanks for the additional details. I'm checking on this internally and will get back to you shortly.
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2022-02-14T19:30:44.107+00:00

KentaroInomata-4553, Also, we noticed that this is an Azure AD B2C tenant. Rather than using OIDC, I would suggest you to try using the Microsoft identity provider, as described here. The Microsoft identity provider has special knowledge of B2C and would work better (as per your requirement).

Just as a side note, [above] I have shared a third party blog, just for your reference, please exercise caution when using 3rd party sites.
Kentaro Inomata 31 Reputation points

2022-02-14T22:42:19.333+00:00

Hi ajkuma,

Thank you for your suggestion, but I am going to save this as the last workaround: For some reasons, I am using Auth0 rather than ADB2C for now.

I would be glad if Microsoft advocates me following open standards.

Best,

Answer 1

ajkuma 28,036 Microsoft Employee Moderator

KentaroInomata-4553, Thanks for the follow-up and sharing additional info.

I had a discussion on this internally. This was due to a bug; the fix has been rolled out. The latest platform upgrade that should be completed in the coming weeks should bring the new version of EasyAuth middleware with the fix.

The fix adds the ‘openid,’ ‘profile,’ and ‘email’ scopes by default if none is provided in the application. The workaround (manually adding these scopes) is a suitable workaround (at this time).

I’d shared info about Microsoft Identity provider as it is an Azure AD B2C tenant, just as an alternate and additional option only. Sorry! for any confusion. Depending on your requirement, yes you can choose OIDC provider and characteristically works fine as documented here. || Microsoft loves open source.

Once again, apologies for the inconvenience with this issue. Thanks for your valuable feedback.

---------
To benefit the community find the right answers, please do mark the post which was helpful by clicking on ‘Accept Answer’ & ‘Up-Vote’.

Kentaro Inomata 31 Reputation points

2022-02-15T15:56:34.043+00:00

I am glad to hear that! I really appreciate it.

Would you mind converting your comment to an answer so that I could accept it?

Best regards,
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2022-02-15T18:08:16.27+00:00

@Kentaro Inomata , Glad to know the information was helpful. Thanks for your positive feedback. It's much appreciated.
I have converted my answer. Thank you!

Share via

Web App Easy Auth with OIDC Provider: Difference between Windows and Linux

0 additional answers

Your answer