In a previous blog post, I talked about how to use MSAL.Net client application to call an Azure Function App with Easy Auth enabled in a regular tenant. In this post, I’ll describe the process to use an MSAL.Net client application to call a Web API application with Easy Auth enabled in a B2C tenant. I assume you already have an API App created on Azure App Service. If you…
Read MoreReceiving error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’
Problem: An application receives the following error when authenticating to Azure Active Directory: { “error”: “invalid_client”, “error_description”: “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z”, “error_codes”: [7000218], …} What does this error mean? The error is what it said. When authenticating to Azure AD to get an access token, the client application is not providing…
Read MoreAADSTS5011 Error on Kubernetes container app running .Net Core code with an Ingress Controller
I recently worked with a customer who was receiving an AADSTS5011: The reply url specified in the request does not match the reply urls configured for the application on his .Net Core Kubernetes container application with an Ingress Controller. When running from the Docker environment, there was no issue however, the redirect URI was configured for http://localhost:someport . Once deployed, the redirect URI ( as seen in the address bar…
Read MoreWalkthrough: Using MSAL.Net to call an Azure Function App with Easy Auth enabled
In this post, I’ll walk through the steps for how to create an application using Microsoft Authentication Library for .Net (MSAL.Net) to call an Azure AD protected Azure Function App using Easy Auth (Azure App Service’ Authentication and Authorization feature). 1. Create an Azure Function with Easy Auth enabled: Assuming you already have an Azure Function App created (refer to https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal if you don’t know how to create one), go…
Read MoreInfinite redirect between OpenID Connect Application and Azure AD
Recently I came across an interesting infinite redirection problem between an OpenID Connect (OIDC) Application and Azure AD as demonstrated in the Fiddler screen shot below. After authentication to Azure AD, we are stuck in an infinite loop between the web site and Azure AD. Eventually the browser gives up and throws an error. This problem only occurs if I start browsing to the site by http protocol (frame 3).…
Read MoreRetrieving user information from Azure AD’s UserInfo Endpoints
In OpenId Connect (OIDC) we have the UserInfo endpoint, that’s specifically for the OIDC protocol and we cannot use with OAuth2 protocol. To use this endpoint in Azure AD we need a token, and without specifying the “Resource” parameter. How to obtain a token (V1) For the sake of this example we’ll use the auth code grant flow to request tokens, using Microsoft Identity Platform V1 endpoint. In a browser…
Read MoreReceiving error IDX21323 or DX10311 RequireNonce…
Depending on what version of OWIN is used, you may see the following error in an MVC application using OpenID Connect middleware IDX21323: RequireNonce is ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is…
Read MoreAADSTS50011: The reply url specified in the request does not match the reply urls configured for the application
Last Updated: August 23 2019 Let’s get started… When your developing or integrating an application with Azure AD, you might see the following similar error… AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ‘XXX’. This is because the redirect_uri (when using OpenID Connect) or AssertionConsumerServiceUrl (when using SAML2) being passed to Azure Active Directory to sign-in, does not exist in…
Read MoreUsing “groups” claim in Azure Active Directory
Lets get Started! To enable the return of groups in a claim, there are two ways… Use the application registration manifest by enabling the groupMembershipClaims property… https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest or if it’s a SAML application, you can enable it though the SSO configuration. The steps on enabling groups claim is outlined in the following article… https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims Once enabled, groups will now be returned in the “groups” claim within a access token or…
Read MoreTroubleshooting network related issue when using ADAL authentication library
Problem: The problem described in this post is often seen in enterprise environment where the customer uses ADAL.Net library to run code like the following from their corpnet machine to authenticate to Azure Active Directory with a Federated account. The network topology in a corporate environment is often complex with multiple security measure put in place (proxy, firewall, router, etc…) to protect the LAN environment from the internet. Unfortunately, these…
Read More