I have migrated an existing website to authenticate with Azure AD B2C Sign-in Service. It works perfectly in the local machine (IIS). But when I deployed in one of the Development Server, it gets into infinite loop between the app and B2C post successful sign-in (ID Token Generated). Below is the configured OpenID Connect options
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
CookieName = "<cookie name>"
}
);
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(aadInstance, Tenant, DefaultPolicy),
ClientId = ClientId,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = PostLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
//
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
//
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider
},
// Specify the claims to validate
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid {ReadTasksScope}"
}
);
Infinite loop happens as the sequence mentioned
- B2C - SelfAsserted? (Post submit on Logon page)
- B2C - Confirmed?
- WebForms App - Redirect to App URL -> https://localhost:44371
- Authorize?
During Step 3, an app cookie should have been generated, but it didn't. Hence infinite loop happens between Step 3 & 4
OpenIdConnect.nonce.XbB4GN2ZUT%2BT%2F68ac5W7J4VdbdOn%2FHq6yFiDSrBIdjk%3D=R2RQbVA3b0hhaUh2Y1JMc212aGlnRWwtd3kzdW1vNklGMGw2eDV1dnlKbVNCQTNkUHNVczVPajdyaDhiaHNFMG9lWlItSGQtcVZpanBOQTd0azVBaHNPTDNEYjdUY3lBUE5ocUR3VDJEZVNPZXo4d0pTSVk0c0prWUEzZE90M2poSlczODVYX0NibE05LXNnc2tNem05eTl4R1lhNTBFV2hVYjJ6LVUwMjhNLWk3ZTBMOGhjbHN1ckh1cVBKamh4eVRLMUVHb2JnbGlzZjRMUm5zY3VvUkNDdExXaEFjWjFnTVVralYwWEIxaw%3D%3D; path=/; expires=Wed, 31-Jan-2018 12:35:46 GMT; secure; HttpOnly
Where as, in the local machine, the application cookie (with custom name) gets generated during the step 3.
OpenIdConnect.nonce.LWWLkUxp3jcWGk%2BpYClSUqjCShbiZeKXNPv%2FYWgFS20%3D=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT<app_cookie_name>=-Q6cr6axj6kqZ6UklGCuSwqVswxcbH2-LehbrNpAHQ0gP9wvonjl95fHPO0oGRh252UiTX9MhOLl6pG82ES04TRoxCWTo3Gn2dLf-8L0eSZkr01q7QuQEP8NNckhaduiC54l1biHvLan561N6aAz8vzWNu54ceKghDbMBrx1MsbHVGnkfPonU3a8lK6p0tc3Q8_He0vx8ipM0rg2V5gegWGLfmp035bXUwqGWghdlE8tzIkUqBafOrcWR_tcXe342Ujd1MJfX5tokLSA-ZC88b1T-xxhp153sZqZFHPH8AdaA6aLcuGBdhwdmi4vQZSOKAIWoWRpWORHAMR5Pg3FVlDLXG95ro036z3IHFzt2wkt9lw3ubDZQnLt9cm8NT6bwobkXmVaLoE1qEFujfDesA5b-6_WgmqrOEPCDm5PfJ69_qz3_x7Cv-i5dIkeFauT7guBeZim2KA3HllkWmhS2jlSZvzXDSVe5QDyYgdjAIvjLDEnyxe_Xj6OtITjBnnI2Q10HQM6ja3OuHfbtG2fwqSyiPQNRS4uS-l0qtQUC7RrbQL2ix-N5gpNzYtqk98SjwFe99y-FAgUk9EXE7YOG6200ECiA0uYeNSt63sXglhrTr0y3a_F2lCgt8e2uczGsdVwA8MQyC7qkRtpuizwxjRNAMa8lS4vkwFWOFgVVlS18xN19bg-ZKp91R4dDISRuyO6JwYVq3fuVbacs_RFuBRALsg8Nph20Y5gFzdYK_CU-k5JLQd-OwyoB7qdbHMnqvXVvnEZ4uyORGWrZ3zKFSlDLeOwIfb6gblLh7HNioN0wvG7oBAofMAJvKMaLTL6xzbTOlnF90WlBuMLjXYY-WrsLyHMopK93Uqy8SCmfGIHIbBM0v6kvo3MjKCG7yBUsZUYXKadn3VwQqC9TfJuQJEiMyMBxgZf_whscA-gvabVnJwEexZIKKUkVpsrmoUyuoTuWSRUvz3YMjGHohg3Jw; path=/; secure; HttpOnly
Got stuck with this without any clue. But I am going to try with customizing the cookie manager of CookieAuthentication Options as mentioned in this stackoverflow question
But I am not confident since it works on local machine, why not in the server. Please help me to get out of this problem.
