Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Alexander Wagner 34 posts 174 karma points
    Feb 06, 2024 @ 10:04
    Alexander Wagner
    0

    Umbraco.Cloud.Identity.Cms 13 doesn't seem to work with MemberAuthenticationBuilder.AddMicrosoftIdentityWebApp

    Hi

    I'm upgrading my clients site from 10 to 13 and they have a B2C login for their members (see code bellow).

    It seems that the version of Microsoft.Identity.Web (version 1.25.9) that Umbraco.Cloud.Identity.Cms is using doesn't work with MemberAuthenticationBuilder.AddMicrosoftIdentityWebApp. After I've logged in on the B2C-login page I get this error:

    IDX40001: Issuer 'https://[Instance]/[TenantId]/v2.0' does not match any of the valid issuers provided for this application.

    If I remove Umbraco.Cloud.Identity.Cms and only uses MicroSoft.Identity.Web 1.16.0 (that worked for Umbraco.Cloud.Identity.Cms 10) or 2.7.0 (latest stable) it works.

    I found this post about that error but upgrading MicroSoft.Identity.Web to a version higher than the one that Umbraco.Cloud.Identity.Cms uses only results in crashes when the site is starting up.

    Removing Umbraco.Cloud.Identity.Cms isn't really ideal either, as you can imagine.

    Do anyone have any recommendation on how to move forward?

    builder.AddMemberExternalLogins(logins =>{
    logins.AddMemberLogin(
        membersAuthenticationBuilder =>
        {
            membersAuthenticationBuilder.AddMicrosoftIdentityWebApp(
                options =>
                {
                    options.ResponseType = OpenIdConnectResponseType.Code;
                    options.Instance = aadInstance;
                    options.Domain = tenant;
                    options.ClientId = clientId;
                    options.ClientSecret = clientSecret;
                    options.SignUpSignInPolicyId = signInPolicyId;
                    options.CallbackPath = "/umbraco-b2c-members-signin";
                    options.Events.OnTokenValidated = context =>
                    {
                        var principal = context.Principal;
                        if (principal is null) throw new InvalidOperationException("No claims found.");
    
                        // check if email claim doesn't exist and if so, add it from upn claim type
                        if (!principal.HasClaim(x => x.Type == ClaimTypes.Email))
                        {
                            var loggedInEmail = principal.Claims.FirstOrDefault(c => c.Type.Equals("emails"))?.Value;
                            // append loggedInEmail value as a email claim to context principal
                            if (!string.IsNullOrEmpty(loggedInEmail))
                            {
                                var emailClaim = new Claim(ClaimTypes.Email, loggedInEmail);
                                var identity = (ClaimsIdentity)principal.Identity;
                                identity.AddClaim(emailClaim);
                            }
                        }
    
                        return Task.CompletedTask;
                    };
                    options.Events.OnRemoteFailure = async context =>
                    {
                        var errorMessage = GetErrorMessage(context.Failure);
                        if (errorMessage.Contains("AADB2C90091"))
                        {
                            // User cancels password change gives this message
                            // AADB2C90091: The user has cancelled entering self-asserted information.
                            // This is logged as an Error by the middleware.
                            context.Response.Redirect("/");
                        }
                        else
                        {
                            //logger.Warn(typeof(AadB2CComponent), errorMessage);
                            context.Response.Redirect(string.Format("{0}?error={1}", failedPage, errorMessage));
                        }
                    };
                    options.Scope.Add(options.ClientId);
                }, 
                openIdConnectScheme: membersAuthenticationBuilder.SchemeForMembers(AzureB2CMembersExternalLoginProviderOptions.SchemeName));
        }); });
    

    EDIT:

    Adding this snippet seems to solve the problem, but it's not really a good idea from a security perspective so I've also raised a ticket on https://github.com/umbraco/Umbraco.Cloud.Issues/issues/734

    options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false };

Please Sign in or register to post replies

Write your reply to:

Draft