Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom OpenIdConnectProviders is broken in 1.1.8 #844

Open
1 of 2 tasks
SirMrDexter opened this issue May 31, 2024 · 5 comments · May be fixed by #895
Open
1 of 2 tasks

Custom OpenIdConnectProviders is broken in 1.1.8 #844

SirMrDexter opened this issue May 31, 2024 · 5 comments · May be fixed by #895
Labels
command: start All issues related to the start command priority: medium (P1) Medium priority runtime: static Issues related a static app (not API) scope: auth Issues related to the authentication emulator type: bug Something isn't working version: ga Issues related to major/GA releases
Milestone
2.1.0

Comments

@SirMrDexter
Copy link

SirMrDexter commented May 31, 2024
edited
Loading

Before filing this issue, please ensure you're using the latest CLI by running swa --version and comparing to the latest version on npm.

Are you accessing the CLI from the default port :4280 ?

  • No, I am using a different port number (--port) and accessing the CLI from that port
  • Yes, I am accessing the CLI from port :4280

Make sure you are accessing the URL printed in the console when running swa start!

ℹ️ NOTE: Make sure to enable debug logs when running any swa commands using --verbose=silly

Describe the bug
When using custom identify providers with OpenID Connect, we should be able to login using the URL
/.auth/login/
Refer to docs: https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-custom?tabs=openid-connect%2Cinvitations#configure-a-custom-identity-provider
But since 1.1.8, when you login using that URL you get a 404 response.
Instead when you change the login URL to /.auth/login/customOpenIdConnectProviders, then it works. This is contrary to how the URL works in the cloud.

To Reproduce
Steps to reproduce the behavior:

  1. Create a new swa project from scratch
  2. Add staticwebapp.config.json file with below content in it.
{
  "auth": {
    "rolesSource": "/api/my/roles",
    "identityProviders": {
      "customOpenIdConnectProviders": {
        "aadb2c": {
          "registration": {
            "clientIdSettingName": "AADB2C_PROVIDER_CLIENT_ID",
            "clientCredential": {
              "clientSecretSettingName": "AADB2C_PROVIDER_CLIENT_SECRET"
            },
            "openIdConnectConfiguration": {
              "wellKnownOpenIdConfiguration": "https://AADB2C_PROVIDER_ISSUER_URL/.well-known/openid-configuration"
            }
          },
          "login": {
            "nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "scopes": [ "openid", "profile" ],
            "loginParameterNames": []
          }
        }
      }
    }
  }
}
  1. start the app using swa start
  2. Go to http://localhost:4280/.auth/login/aadb2c

Expected behavior
Should get the emulator login screen with the provider name as aadb2c

Screenshots
image
image

Desktop (please complete the following information):

  • OS: Windows
  • Version 10
  • Node Version 18
  • SWA Cli version: 1.1.8
@jag43
Copy link

jag43 commented Jun 11, 2024

I'm also getting this with aadb2c auth. Downgrading to 1.1.7 fixes it.

  "auth": {
    "identityProviders": {
      "customOpenIdConnectProviders": {
        "aadb2c": {
          "registration": {
            "clientIdSettingName": "AZURE_CLIENT_ID",
            "clientCredential": {
              "clientSecretSettingName": "AZURE_CLIENT_SECRET"
            },
            "openIdConnectConfiguration": {
              "wellKnownOpenIdConfiguration": "https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1_sign_in/v2.0/.well-known/openid-configuration"
            }
          },
          "login": {
            "nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "scopes": ["openid", "profile"],
            "loginParameterNames": []
          }
        }
      }
    }
  },

@adrianhall adrianhall added type: bug Something isn't working priority: medium (P1) Medium priority scope: auth Issues related to the authentication emulator runtime: static Issues related a static app (not API) version: ga Issues related to major/GA releases command: start All issues related to the start command labels Jun 28, 2024
@adrianhall adrianhall added this to the 1.1.12 milestone Jun 28, 2024
@aoscodes
Copy link

aoscodes commented Jul 4, 2024
edited
Loading

Edit to add:
A gotcha here is that you also need to change your registered callback URLs in your b2c configuration portal. if you change to aadbc like i did then your new callback uri should reflect that ie. https://mycoolapp.microsoftwhatever.net/.auth/login/aadbc/callback

Another gotcha is that it can take an arbitrary amount of time for Azure to update their redirect caches. This may lead one to an hour of work trying to figure out what they did wrong because aadb2c will report redirect_uri_mismatch errors even after you update your redirect configurations in the portal.

If you use User Flows then for some reason running the "Test User Flow" clears up this issue and your new callbacks will work. /shrug

I actually just ran in to this. This appears to be because of a difference in the expectations of the emulator's code and what the "documentation" suggest.

This issue is that these regex only parse for [a-z] and your custom provider is named "aadb2c" Which is what this documentation explicitly suggests.

if you change the name to something those regex can parse like "aadbc" it should work. You will need to change it everywhere in your staticwebapp.config.json.

ie:

{
  "auth": {
    "identityProviders": {
      "customOpenIdConnectProviders": {
        "aadbc": {
          "registration": {
            "clientIdSettingName": "AZURE_CLIENT_ID",
            "clientCredential": {
              "clientSecretSettingName": "AZURE_CLIENT_SECRET"
            },
            "openIdConnectConfiguration": {
              "wellKnownOpenIdConfiguration": "https://xxx.b2clogin.com/xxx.onmicrosoft.com/B2C_1_xxx/v2.0/.well-known/openid-configuration"
            }
          },
          "login": {
            "nameClaimType": "emails",
            "scopes": ["openid", "profile", "offline_access"],
            "loginParameterNames": []
          }
        }
      }
    }
  },
  "navigationFallback": {
    "rewrite": "/index.html",
    "exclude": ["/public/*"]
  },
  "routes": [
    {
      "route": "/sign-in",
      "redirect": "/.auth/login/aadbc"
    },
    {
      "route": "/sign-up",
      "redirect": "/.auth/login/aadbc"
    },
    {
      "route": "/logout",
      "redirect": "/.auth/logout?post_login_redirect_uri=sign-in"
    }
  ...
  ],
  "responseOverrides": {
    "401": {
      "statusCode": 302,
      "redirect": "/.auth/login/aadbc?post_login_redirect_uri=.referrer"
    }
  }
}

@AverageCakeSlice
Copy link

@aoscodes I can confirm this as well. After the 1.1.8 update, it seems that numerical characters are no longer valid and only [a-z] works. I was able to "fix" the issue by changing the provider key in my staticwebapp.config.json from auth0 to authzero and then navigating to /.auth/login/authzero instead.

Downgrading to 1.1.7 is the workaround for now I suppose. StaticWebApps still appears to work in production, just not the emulator.

@jonnekleijer
Copy link

@aoscodes for reference to others who use aadb2c as customOpenIdConnectProviders and see when developing locally after a redirect:

We couldn't find that page, please check the URL and try again.

I believe previously b2c was part of the docs with the naming of "b2c" as a proposed way to configure the authentication.
Example projects

@davormaricdev
Copy link

davormaricdev commented Nov 5, 2024
edited
Loading

Can confirm that this still happens with 2.0.1. Custom identity providers with numerical names are not supported. Affected by regex here. Solution was to rename the connector name from b2c to btoc 🙄

jonnekleijer added a commit to jonnekleijer/static-web-apps-cli that referenced this issue Nov 5, 2024
@jonnekleijer
fix msha: regex for custom authentication providers
1791a24 
various documented providers currently do not work with the local authorization emulator (e.g. auth0, aadb2c), because numbers are not captured in the regex

Fixes Azure#844
jonnekleijer added a commit to jonnekleijer/static-web-apps-cli that referenced this issue Nov 5, 2024
@jonnekleijer
fix msha: regex for custom authentication providers
3c94858 
various documented providers currently do not work with the local authorization emulator (e.g. auth0, aadb2c), because numbers are not captured in the regex

Fixes Azure#844
@jonnekleijer jonnekleijer linked a pull request Nov 5, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
command: start All issues related to the start command priority: medium (P1) Medium priority runtime: static Issues related a static app (not API) scope: auth Issues related to the authentication emulator type: bug Something isn't working version: ga Issues related to major/GA releases
Projects
None yet
Milestone
2.1.0
Development

Successfully merging a pull request may close this issue.

fix msha (#844): Regex for custom authentication providers jonnekleijer/static-web-apps-cli
7 participants
@SirMrDexter @adrianhall @jonnekleijer @jag43 @davormaricdev @AverageCakeSlice @aoscodes