0

I'm trying to connect to an Azure AD server with an Umbraco website. To start off, I have no knowledge of Azure. There is a third party who administers the Azure part.

We use OWIN to connect to Azure via OpenID. OnStartup:

public void ConfigureAuth(IAppBuilder app){
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions{
            // Sets the ClientId, authority, RedirectUri as obtained from web.config
            ClientId = clientId,
            Authority = authority,
            RedirectUri = redirectUri,
            
            PostLogoutRedirectUri = redirectUri,
            Scope = OpenIdConnectScope.OpenIdProfile,
            ResponseType = OpenIdConnectResponseType.IdToken,
            TokenValidationParameters = new TokenValidationParameters(){
                ValidateIssuer = false
            },
            Notifications = new OpenIdConnectAuthenticationNotifications{
                AuthenticationFailed = OnAuthenticationFailed
            }
        });
    }

The SignIn function in the SurfaceController:

public void SignIn(string ReturnUrl = "/"){
    if (!Request.IsAuthenticated) {
        HttpContext.GetOwinContext().Authentication.Challenge(
            new AuthenticationProperties { RedirectUri = ReturnUrl },
            OpenIdConnectAuthenticationDefaults.AuthenticationType);
    }
}

Here come the non-working part. If I test this site at a local domain (only available from within our office), it works. If I test this site on a publicly-available staging domain, it works. If I test this site on a live domain, it works.

But as soon as I change a sub-domain, I get send to the working domain with a "RequireNonce" error. So for example: https://customer.localdomain.com -> login -> I return logged in at https://customer.localdomain.com. https://test.localdomain.com -> login -> I return to https://customer.localdomain.com (notice the domain), with a "Nonce-error".

https://customer.stagingdomain.com -> login -> I return logged in at https://customer.stagingdomain.com. https://test.stagingdomain.com -> login -> I return to https://customer.stagingdomain.com (notice the domain), with a "Nonce-error".

https://www.livedomain.com -> login -> I return logged in at https://www.livedomain.com. https://test.livedomain.com -> login -> I return to https://www.livedomain.com (notice the domain), with a "Nonce-error".

The complete error is:

IDX21323: 
RequireNonce is '[PII is hidden]'. 
OpenIdConnectProtocolValidationContext.Nonce was null, 
OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. 
The nonce cannot be validated. 
If you don't need to check the nonce, set OpenIdConnectProtocolValidator.
RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

What can we do to resolve this problem? Our customer has a couple of subdomains (seperate sites) that all need this login functionality. We've tried adding subdomains to a reply-list in Azure (well, the third party added them for us), but that didn't solve the problem.

Is it possible to just turn RequireNonce off somewhere?

Cryothic
  • 771
  • 7
  • 18

1 Answers1

0

Thank you JamesHamil-MSFT Posting your suggestion as an answer to help other community members .

"The problem was that the time or automatic reference program service binding a custom domain name. After the application network management is configured. The Host IP that modifies the custom domain name points to a public IP that is gateway." Please try checking that your domain is configured correctly and points to the correct gateway."

Please refer the below links for further information:

. Configure App Service with Application Gateway using PowerShell | MS DOC .

. SO THREAD for similar issue.

AjayKumarGhose
  • 4,257
  • 2
  • 4
  • 15