C
C#2mo ago
Mitch

Why do my Admin controllers trigger OnRemoteFailure in ConfigureOpenIdConnectOptions when using cust

Why do my Admin controllers trigger OnRemoteFailure in ConfigureOpenIdConnectOptions when using custom authentication policies? I am configuring authentication and authorization in an ASP.NET Core application using both OpenIdConnect and Microsoft Identity. The goal is to make the frontend controllers for my site use the OpenIdConnect (IdentityServer4) and the admin controllers use AzureAd. Here's a summary of my setup: In Startup.cs, I have configured authentication and authorization as follows: 
services.AddSingleton<IConfigureOptions<OpenIdConnectOptions>, ConfigureOpenIdConnectOptions(); 
services.AddSingleton<IConfigureOptions<MicrosoftIdentityOptions>, ConfigureAzureAdConnectOptions>();

AuthenticationBuilder authBuilder = services.AddAuthentication(options =>
{
    options.DefaultScheme = "IS4Cookies";
    options.DefaultChallengeScheme = "SigmaSSO";
});
authBuilder.AddCookie("IS4Cookies"); // Add a cookie handler
authBuilder.AddOpenIdConnect("SigmaSSO", null);
authBuilder.AddMicrosoftIdentityWebApp(Configuration, "AzureAd", "EntraIdOIDC", "EntraId", true);

services.AddAuthorization(options =>
{
    options.AddPolicy("AdminSection", policy =>
    {
        policy.AddAuthenticationSchemes("EntraIdOIDC");
        policy.RequireAuthenticatedUser();
        policy.RequireRole(new List<string>{"PlusAdminUser"});
    });
    options.AddPolicy("FrontEnd", policy =>
    {
        policy.AddAuthenticationSchemes("SigmaSSO");
        policy.RequireAuthenticatedUser();
    });
});
services.AddSingleton<IConfigureOptions<OpenIdConnectOptions>, ConfigureOpenIdConnectOptions(); 
services.AddSingleton<IConfigureOptions<MicrosoftIdentityOptions>, ConfigureAzureAdConnectOptions>();

AuthenticationBuilder authBuilder = services.AddAuthentication(options =>
{
    options.DefaultScheme = "IS4Cookies";
    options.DefaultChallengeScheme = "SigmaSSO";
});
authBuilder.AddCookie("IS4Cookies"); // Add a cookie handler
authBuilder.AddOpenIdConnect("SigmaSSO", null);
authBuilder.AddMicrosoftIdentityWebApp(Configuration, "AzureAd", "EntraIdOIDC", "EntraId", true);

services.AddAuthorization(options =>
{
    options.AddPolicy("AdminSection", policy =>
    {
        policy.AddAuthenticationSchemes("EntraIdOIDC");
        policy.RequireAuthenticatedUser();
        policy.RequireRole(new List<string>{"PlusAdminUser"});
    });
    options.AddPolicy("FrontEnd", policy =>
    {
        policy.AddAuthenticationSchemes("SigmaSSO");
        policy.RequireAuthenticatedUser();
    });
});
(more in next post)
1 Reply
Mitch
Mitch2mo ago
I also have this event configured in ConfigureOpenIdConnectOptions: 
options.Events = new OpenIdConnectEvents()
{
    OnRemoteFailure = ctx =>
    {
        ctx.HandleResponse();
        ctx.Response.Redirect("/");
        return Task.FromResult(0);
    }
};
options.Events = new OpenIdConnectEvents()
{
    OnRemoteFailure = ctx =>
    {
        ctx.HandleResponse();
        ctx.Response.Redirect("/");
        return Task.FromResult(0);
    }
};
For my controllers, I have the following attributes: Admin Controllers: 
[Area("Admin")]
[Authorize(Policy = "AdminSection")]
[Area("Admin")]
[Authorize(Policy = "AdminSection")]
Frontend Controllers: 
 [Area("Admin")]
 [Authorize(Policy = "FrontEnd")]
 [Area("Admin")]
 [Authorize(Policy = "FrontEnd")]
ConfigureAzureAdConnectOptions only contains basic information as such: 
    options.Instance = "https://login.microsoftonline.com/";
    options.Domain = "azure-domain-here";
    options.TenantId = "someguid";
    options.ClientId = "some-other-guid";
    options.CallbackPath = "/signin-oidc";
    options.SignInScheme = "AzureCookies";
    options.Scope.Add("openid");
    options.Instance = "https://login.microsoftonline.com/";
    options.Domain = "azure-domain-here";
    options.TenantId = "someguid";
    options.ClientId = "some-other-guid";
    options.CallbackPath = "/signin-oidc";
    options.SignInScheme = "AzureCookies";
    options.Scope.Add("openid");
The problem I'm encountering is that when I access any of my Admin controllers, the OnRemoteFailure event is triggered from the ConfigureOpenIdConnectOptions class, which causes a redirect to the homepage. I expect this event to trigger only on OpenID Connect-related failures, but it is happening consistently when accessing admin routes. Why are my Admin controllers triggering the OnRemoteFailure event from ConfigureOpenIdConnectOptions? How can I prevent this behavior and ensure it only triggers on legitimate OpenID Connect failures? Additional Information: * I am using ASP.NET Core 8.0. * The "AdminSection" policy is configured to use the EntraIdOIDC scheme, which I believe should map to Azure AD authentication. * The "FrontEnd" policy uses the SigmaSSO OpenID Connect scheme. Additionally, based on whether I choose to add the SigmaSSO to the authbuilder first or the EntraIdOIDC to the authbuilder first, I always get an error 
An error was encountered while handling the remote login.
Stack Trace:
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
An error was encountered while handling the remote login.
Stack Trace:
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
it either throws for one or the other in my app
Want results from more Discord servers?
Add your server