Exception handler causes a 404

[tango-charly]

Describe the bug

I deployed a website on Azure Webapp with Azure AD, i created the webapp with the command:
dotnet -o webapp -au SingleOrg -clientId [...]

So i got a sample web app with AzureAD Authentication Azure AD Ui in Nuget dependance to handle the user AD Authentication.

In local it works pretty well (y)

But when i deployed with azure devops in Azure Web App, i received a 404 not found for:
/AzureAD/Home/SignIn
Areas:AzureAD Controller:Account Action:SignIn

I have no idea why, i didn't find issues wich solve this problem.

To Reproduce

Create a sample web app and deploy on basic azure Web App (with azure cli)

Appsettings :

{
  "AzureAd": {
    "Instance": "my_instance_url",
    "Domain": "my_domain_url",
    "TenantId": "dummydummy",
    "ClientId": "dummydummy",
    "CallbackPath": "/signin-oidc"
}

Startup.cs > ConfigureServices

        public void ConfigureServices(IServiceCollection services)
        {
// ...
            services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
                    .AddAzureAD(options => Configuration.Bind("AzureAd", options));

            services.AddControllersWithViews(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));
            });
// ...
}

Startup.cs > Configure

  public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
// ...
            app.UseAuthentication();
            app.UseAuthorization();
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "areas",
                    pattern: "{area:exists}/{controller=Home}/{action=Index}/{id?}");
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "Home/{controller=Home}/{action=Index}/{id?}");
                endpoints.MapRazorPages();
            });
// ...
     }

Get 404 response, the Area Azure AD is not found.

Kudu confirm Azure Ad UI Dlls are here :

• Microsoft.AspNetCore.Authentication.AzureAD.UI.dll - 34kb
• Microsoft.AspNetCore.Authentication.AzureAD.UI.Views.dll -26kb

Did i miss something or there is an issue about import of area in external package ?

Further technical details

• ASP.NET Core 3.1
• Azure Web App (no Authentication configured)

[Tratcher]

What do the server logs report?
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-3.1#configuration

I've seen this happen if there was an exception and then it couldn't find the error page.

[tango-charly]

👍 That's it
But the Error page seems to be found.
Found in event logs :

<EventData>
<Data>
Category: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware EventId: 1 RequestId: 80003f7f-0000-ec00-b63f-84710c7967bb RequestPath: /AzureAD/Account/SignIn SpanId: |b86f0bbd-42a4ac07d31725bc. TraceId: b86f0bbd-42a4ac07d31725bc ParentId: An unhandled exception has occurred while executing the request. Exception: System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties) at Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResultFilterAsync>g__Awaited|29_0[TFilter,TFilterAsync](ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResultExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.ResultNext[TFilter,TFilterAsync](State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeResultFilters() --- End of stack trace from previous location where exception was thrown --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|24_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync() --- End of stack trace from previous location where exception was thrown --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
</Data>
</EventData>
</Event>```

Misconfiguration with my Azure AD, maybe the permission with the URL website.

[Tratcher]

Great. As for the 404, was your sample created from one of the templates or from scratch? There should be an error page / controller action there.

[Tratcher]

This keeps happening with the exception handler middleware. Something is misconfigured or missing so you end up with a misleading result (404) rather than a report that you app experienced an exception.

Proposal: if an exception occurred, the middleware re-executes to handle it, and the result is a 404 (or any other 4xx?) without a body, then provide a default 500 error and a message that an exception occurred and the exception handler was unable to handle it, please check the application logs.

[tango-charly]

I created from scracth but i moved my Home controller and views in a folder. This is not so sample after all. I changed the basic configuration and path for razor engine template.

-Areas/
-Home/
--Controllers
--Models
--Views
----Shared

This morning i created a true sample app, my configuration is working.
I will handle 4xx to see the problem, it could help someone else.
But, for the moment, I still don't understand why there is no problem in local

[tango-charly]

Ok ! There is no error in log because there is no error in app !
It works !
But my Azure AD configuration was well configured and it threw an exception even if it didn't use the custom error page.
Is it the desired behavior ?

Startup.cs
app.UseExceptionHandler("/error");
Controller
I forgot the attribute
[Route("error")]

[tango-charly]

Repo

Redirection does not include the domain. It results by
subdomain/AzureAD/Account/SignIn
It should be
subdomain.domain/AzureAD/Account/SignIn
(Subdomain = app service resource name)

[Tratcher]

The exception you shared was:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync

A) Follow the instructions at https://aka.ms/IdentityModel/PII to get the full value. (We've filed a but about removing that requirement for this specific exception.)
B) This error is related to both the runtime environment and the app configuration. It's using fields you specified in config to request validation keys from an external resource. Your app config could be wrong in the published environment, or it could be unable to contact the external resource. (I'd have expected an inner exception to give more details...).