Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized error when following "Desktop app calls Web API" instructions #187

Open
dpaulino opened this issue Feb 28, 2021 · 7 comments
Open

Unauthorized error when following "Desktop app calls Web API" instructions #187

dpaulino opened this issue Feb 28, 2021 · 7 comments
Labels
bug Something isn't working

Comments

@dpaulino
Copy link

Please provide us with the following information:

image

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Follow the instructions completely. Then change the tenant to common in both App.config and appsettings.json. Then, sign in with personal microsoft account

image
image

Any log messages given by the failure

"An error occurred while getting /api/todolist > Unauthorized"

Expected/desired behavior

No errors.

OS and Version?

Windows 10 19042

Versions

Mention any other details that might be useful

I understand that the instructions say "this sample does not work with personal microsoft accounts". What do I have to do in order to protect an API using personal microsoft accounts? This sample is everything that I need, except that I just need to accept personal MSAs from users. Please help!

Thanks! We'll be in touch soon.
@jmprieur
Copy link
Contributor

@dpaulino it will work provided you change the audience of your web API to be Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)

@dpaulino
Copy link
Author

@dpaulino it will work provided you change the audience of your web API to be Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)

I used chapter 1 instructions.

That's already the audience of the web API. In fact, the instruction already specifies that audience. But it doesn't work. I'm getting unauthorized error.

Is the issue related to my tenant? I'm using my default tenant. Should I create a new tenant?

And I haven't seen chapter 3 yet. I can try it.

@dpaulino
Copy link
Author

dpaulino commented Mar 1, 2021
edited
Loading

For clarity, here is where the instruction says what audience to use: https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API#register-the-service-app-todolistservice-active-directory-dotnet-native-aspnetcore-v2. So how come I'm getting an unauthorized error when I use my personal microsoft account?

image

@jmprieur
Copy link
Contributor

jmprieur commented Mar 1, 2021

@dpaulino
Could you please debug the web API by using the TodoListService launch profile, which is kestrel, not IIS, and look at the logs that appear in the console.
you should be able to see an error and we'd understand what happens.

I'm assuming that the token is not validated (and that you don't enter into the controller Get method:

You might also want to add PII logging, for instance in the contructor of the Startup.cs, add:

IdentityModelEventSource.ShowPII = true;

@dpaulino
Copy link
Author

dpaulino commented Mar 8, 2021

I figured out the issue. By sheer luck, I discovered that Azure AD's free-tier has a Single Sign-On limitation. You can only have 10 app registrations for SSO to work. I had 11. I reduced this down to 8, and then this sample code magically started working.
image

I'm extremely frustrated by this whole experience. The error messages I'm getting from Microsoft Identity made no mention of the SSO limitation. I'm just thankful that in my desperation, I was browsing through AAD's settings pages to see if I missed a setting somewhere.

Perhaps you may want to add a warning like this in your docs: "Be aware that Azure AD has a limit of 10 app registrations when it comes to SSO authentication. This sample code will ask you to create 2 new app registrations, so please make sure you are not over the 10-app limit after creating them." Or something like that.

So this issue is resolved, but I recommend adding the warning. Feel free to close this ticket as you see fit.

@jmprieur
Copy link
Contributor

jmprieur commented Mar 8, 2021

Thanks for the update @dpaulino
I didn't know either. I wonder if this is recent.

@jennyf19 @henrik-me : let's try to improve the error message if we can at the level of Microsoft.Identity.Web (and possibly MSAL (@jennyf19 @henrik-me @bgavrilMS @trwalke @pmaytak)

cc: @lnalepa @SaeedAkhter-MSFT for the feedback ...

@bgavrilMS
Copy link
Contributor

Not sure what fails here, but we need bug in either MSAL or Id.Web to improve the experience.

@bgavrilMS bgavrilMS added the bug Something isn't working label Jan 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dpaulino @bgavrilMS @jmprieur