'Wanting to have seperate policies for SignIn and SignUp while using MSAL.net - both receiving webhook for AuthorizationCodeReceived

I have a .net mvc project based on b2c-webapi-dotnet ([https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi][1]) where I can register users or allow them to sign in via b2c (both operations having the same SignUpSignIn policy). This works as I expect.

I'm now trying to split this single policy into two, so having a SignUp policy and an additional SignIn policy

As part of this, both policies need to hit the AuthorizationCodeReceived hook so that I can pull out the b2c oid guid. This is used to find additional information on a user stored in a separate database.

What I am finding is that OnAuthorizationCodeReceived is only called when using one of my policies, its the default policy that I set into the MetadataAddress property when setting up the authorization.

In the code below, whichever policy I set for Settings.B2C_DefaultPolicyId (either SignIn or SignUp) is the one that has OnAuthorizationCodeReceived called.

Can anyone tell me if there is a way to have both policies be able to call OnAuthorizationCodeReceived ?

I appreciate any help you can give.

public void ConfigureAuth(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        // ASP.NET web host compatible cookie manager
        CookieManager = new SystemWebChunkingCookieManager()
    });

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Generate the metadata address using the tenant and policy information
            MetadataAddress = String.Format(WellKnownMetadata, Common.Settings.AppSettings.B2C_Tenant, Settings.B2C_DefaultPolicyId),

            // These are standard OpenID Connect parameters, with values pulled from web.config
            ClientId = Settings.AppSettings.B2C_ClientID,
            RedirectUri = RedirectUri,
            PostLogoutRedirectUri = PostLogoutRedirectUri,

            // Specify the callbacks for each type of notifications
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                AuthenticationFailed = OnAuthenticationFailed,
            },

            // Specify the claim type that specifies the Name property.
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name",
                ValidateIssuer = false
            },

            // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
            Scope = $"openid profile offline_access {Settings.AppSettings.B2C_ReadTasksScope} {Settings.AppSettings.B2C_WriteTasksScope}",

            // ASP.NET web host compatible cookie manager
            CookieManager = new SystemWebCookieManager()
        }
    );
}
authorizationazure-ad-b2cazure-ad-b2c-custom-policy


Solution 1:[1]

I've figured it out with the help of a colleague

From the example code I had, one of the callbacks had some code that needed to be updated

private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
    var policy = notification.OwinContext.Get<string>("Policy");

    if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy))
    {
        notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId;
        notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
        notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower());
    }

    return Task.FromResult(0);
}

The ResponseType needs to be changed from IdToken to CodeIdToken. Doing this means the non default Policy also hits the callback AuthorizationCodeReceived

One side affect of doing this is that after OnAuthorizationCodeReceived is hit, the callback for AuthenticationFailed is also hit.

To handle this, I've just put a conditional statement in the OnAuthenticationFailed method that returns to the root view (notification.Response.Redirect("/"))

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Steve B

Related Questions

enable Apache http Authorization header

Blazor @attribute [Authorize] tag is not working

Prevent database access outside the application

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Authorization in ASP.NET Core. Always 401 Unauthorized for [Authorize] attribute

Sonarqube authorization - how to authorize with sonar-maven-plugin when sonar.forceAuthentication is enabled

How to set token in authorization header in flutter Dio post request

Subscription-scope authorization for Azure Resource Manager API user

Does an OAuth Consumer validate a bearer token with the OAuth provider on each request

Https twice on my redirect_uri shopify when trying to authorize my application

Is there a way to Redirect in AuthorizationHandler in .Net 5?

Set default header for every fetch() request

ahrefs.com authorization using python requests

nestjs return undefined in Public Guards

ASP.NET 5 Authorize against two or more policies (OR-combined policy)