microsoft-identity-web: [Bug] Signing in users breaks when using backchannel proxy

Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. 0.3.1-preview

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app?

a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro I have a public repro which is mainly a new project created with dotnet new mvc2 -singleauth template, then modified to handle Cloud Foundry variable parsing to obtain proxy information, and create the back channel proxy. Relevant code for Proxy is below. ā€“ repro here

I am not sure why, but simply changing back to .AddAzureAD, changing options to OpenIdConnectOptions, and no other changes, the back channel communication works properly.

        public void PostConfigure(string name, MicrosoftIdentityOptions options)
            Log.Debug("Starting PostConfigure");
            var proxyURI = VCAPHelper.GetSquidUri();
            Log.Debug("Setting Proxy URI to {Proxy}", proxyURI);

            if (!string.IsNullOrEmpty(proxyURI))
                var webProxy = new WebProxy()
                    Address = new Uri($"http://{VCAPHelper.GetSquidHost()}:{VCAPHelper.GetSquidPort()}"),
                    BypassProxyOnLocal = true,
                    UseDefaultCredentials = false,
                    Credentials = new NetworkCredential(VCAPHelper.GetSquidUsername(), VCAPHelper.GetSquidPassword())
                var httpClientHandler = new HttpClientHandler()
                    Proxy = webProxy,
                    UseDefaultCredentials = true,
                    UseProxy = true
                options.Backchannel = new HttpClient(httpClientHandler, true);

Expected behavior I would expect back channel behavior to work normally when access through a proxy is required to access metadata at

Actual behavior Receive an error below presumably due to some communication on the back channel not working through the proxy.

IOException: IDX20804: Unable to retrieve document from: ''.

Additional context / logs / screenshots There was an issue open under aspnetcore last year where I got the AzureAD piece working, that issue is, for reference.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 22 (1 by maintainers)

Most upvoted comments

Iā€™d suggest using the same pattern as AspNet, injecting IOptions<AadIssuerValidatorOptions> so the developer can do something like this in startup:

services.Configure<AadIssuerValidatorOptions>(options =>
  options.Backchallel = ...
  options.Configuration = ...

@jennyf19 : moving this to an enhancement as @Tratcher provided more context about what needs to be done. @Tratcher : would inject an IHttpClient be a god solution? It might be worth a quick sync to be sure we are not iterating towards the solution šŸ˜ƒ

The ConfigurationManager I linked to uses its own HttpClient instance with only the default proxy settings.

It needs to be replaced by one that allows you to pass in the HttpClient like this:

Until then the above workarounds that let you configure the default proxy for the whole application should work.