BUG - Blazor Server Side - Azure AD Auth -Works Locally but not in Azure...

[Yashuaa]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

1.25.0

Web app

Sign-in users and call web APIs

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

App
Blazor Server Side

Framework
.NET 6

Issue
I have a Azure App Registration that logs users in and then makes a call to the Microsoft Graph API.. It works fine locally, but in Azure it will not work no matter what I do...

First off, here is the line of code I'm working with

services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection(Constants.AzureAd))
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddInMemoryTokenCaches();

Again, this works fine locally but will not work in Azure.. This is the message I get in Azure Log Streams

[Error] Microsoft.AspNetCore.Components.Server.Circuits.CircuitHost: Unhandled exception in circuit 'LMYZ-AWyuRkg-FuRx6EPC9D9daW7r64I6iP1NAfXkYw'.System.AggregateException: One or more errors occurred. 

(IDW10503: Cannot determine the cloud Instance. The provided authentication scheme was ''. Microsoft.Identity.Web inferred 'AppServicesAuthentication' as the authentication scheme. Available authentication schemes are 'Cookies,AppServicesAuthentication'. See https://aka.ms/id-web/authSchemes. )---> System.InvalidOperationException: IDW10503: Cannot determine the cloud Instance. The provided authentication scheme was ''. Microsoft.Identity.Web inferred 'AppServicesAuthentication' as the authentication scheme. Available authentication schemes are 'Cookies,AppServicesAuthentication'. See https://aka.ms/id-web/authSchemes.at Microsoft.Identity.Web.TokenAcquisition.GetOptions(String authenticationScheme, String& effectiveAuthenticationScheme)at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable`1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)at Microsoft.Identity.Web.TokenAcquisition.GetAccessTokenForUserAsync(IEnumerable`1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)at 

The failure actually happens here when I try to get the acces token for the user who signed in

var accessToken = await _tokenAcquisitionService.GetAccessTokenForUserAsync(AppConstants.MicrosoftGraphApiService.Permissions.ReadUserProfile);

Now, when I go to the link here that the exception suggest: https://aka.ms/id-web/authSchemes - I see nothing of use or relevant to Blazor Server Side app...

There is a suggestion that "Cookie schemes" is how to fix the issue I'm having.. but, that doesn't work either.. The link is here: https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes#cookie-schemes

If I try to add those lines of code, first off they don't work, get an exception that cookie scheme is already enabled, and second off, they don't include the DownstreamApi extension method and other stuff I need.

Going to mention @sven5 and @Contengo on this issue.. maybe they know more about this?

#549 (comment)

So what is the answer here?

Reproduction steps

1. Create Blazor Server Side App (.NET 6)
2. Copy the code I put above
3. Deploy it to Azure

Error message

IDW10503: Cannot determine the cloud Instance. The provided authentication scheme was ''. Microsoft.Identity.Web inferred 'AppServicesAuthentication' as the authentication scheme. Available authentication schemes are 'Cookies,AppServicesAuthentication'. See https://aka.ms/id-web/authSchemes. )--->

Id Web logs

No response

Relevant code snippets

services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection(Constants.AzureAd))
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddInMemoryTokenCaches();

Regression

No response

Expected behavior

Um, I expect it to work in Azure like it works locally in

[Yashuaa]

Just want to update yall - this is definitely a bug with Blazor and Azure App Service / Azure AD... We had to totally get rid of Microsoft Graph API to get this to work, it will not work with Graph API. We just get that obscure error every time.

Another thing - this code in general does not work.. The only way we could get it to work was by changing OpenId.Defaults to a hard-coded "openid2" which I found from a MSFT employees GH sample repository.. So that should probably be documented that "openid" does not work but for some strange reason "openid2" does...

Also notice here - https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes#cookie-schemes:~:text=Here%20is%20a%20variation%20of%20our%20test%20app%20above%2C%20where%20the%20authentication%20scheme%20is%20explicitly%20set%20for%20the%20AAD%20controller%20calling%20Microsoft%20Graph.

[Yashuaa]

Wow, not even a response on here in 2 years! Lol. & this bug is floating out there

[sven5]

Sorry, I never dealt with downstream APIs.