ASP.NET Core Entra ID external login redirects to /signin-microsoft but shows resource not found

by

Summary

The issue at hand involves an ASP.NET Core application using Microsoft Entra ID as an external login provider via OpenID Connect. After a successful authentication, the user is redirected to /signin-microsoft, but instead of completing the login process, the application displays a “resource not found” error. This problem seems to be tenant-specific and occurs despite the successful completion of the Entra ID authentication and the presence of the authorization code and state in the callback URL.

Root Cause

The root cause of this issue can be attributed to several factors, including:

  • Incorrect configuration of the redirect URI in the Entra ID settings or the ASP.NET Core application
  • Mismatched tenant IDs between the Entra ID configuration and the ASP.NET Core application
  • Insufficient permissions or incorrect scopes configured for the Entra ID application
  • Middleware configuration issues in the ASP.NET Core application, such as missing or incorrectly ordered middleware components

Why This Happens in Real Systems

This issue can occur in real systems due to:

  • Human error during the configuration of Entra ID or the ASP.NET Core application
  • Lack of understanding of the OpenID Connect protocol and its requirements
  • Inadequate testing of the external login flow, particularly in different tenant configurations
  • Versioning issues with the ASP.NET Core framework or the Microsoft Entra ID library

Real-World Impact

The impact of this issue includes:

  • Failed external login attempts, resulting in a poor user experience
  • Increased support requests and debugging efforts
  • Potential security risks if the issue is related to incorrect configuration or permissions
  • Delays in application deployment or updates due to unresolved authentication issues

Example or Code

services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "OpenIDConnect";
})
.AddCookie("Cookies")
.AddOpenIdConnect("OpenIDConnect", options =>
{
    options.Authority = "https://login.microsoftonline.com/{tenantId}";
    options.ClientId = "{clientId}";
    options.ClientSecret = "{clientSecret}";
    options.ResponseType = OpenIdConnectResponseType.Code;
    options.SaveTokens = true;
    options.Events = new OpenIdConnectEvents
    {
        OnAuthorizationCodeReceived = async context =>
        {
            // Token exchange and external login completion logic
        }
    };
});

How Senior Engineers Fix It

Senior engineers can fix this issue by:

  • Verifying the configuration of the Entra ID application and the ASP.NET Core application
  • Checking the middleware order and ensuring that the authentication middleware is correctly configured
  • Enabling detailed error messages and logging to diagnose the issue
  • Testing the external login flow with different tenant configurations and users
  • Consulting the documentation for ASP.NET Core Identity, Microsoft Entra ID, and OpenID Connect

Why Juniors Miss It

Junior engineers may miss this issue due to:

  • Lack of experience with ASP.NET Core Identity and OpenID Connect
  • Insufficient understanding of the authentication flow and its components
  • Inadequate testing and debugging skills
  • Overlooking configuration details, such as the redirect URI or tenant ID
  • Not consulting the documentation or seeking guidance from senior engineers

Leave a Comment