Login/Register
IS4: Request not valid for the application's 'userAudience' configuration
Asked Answered
c#azureasp.net-coremicrosoft-graph-apiidentityserver4
I

3

6

I'm trying to use external login provider in my IdentityServer4. I followed the quickstart, and everything was working fine, now I'm trying to add Microsoft login.

I added this code in IS4's Startup:

services.AddAuthentication()
        .AddMicrosoftAccount(o =>
        {
            o.SignInScheme = IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme;
            o.ClientId = "yadayada";
            o.ClientSecret = "yoyoyoyo";
        });

In the Azure Portal, I've defined the scope:

  • openid
  • profile

And I'm getting this error after I entered my Microsoft username/password:

Exception: invalid_request;Description=The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.

Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync() IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

EDIT: This is a bug in Asp.NET Core. Tracked here: https://github.com/dotnet/AspNetCore.Docs/issues/19795

Infiltration answered 16/9, 2020 at 16:13 Comment(0)
A
4

I was getting the same error. I was able to fix it by re-creating the app registration and picking the supported account type:

  • Accounts in any organizational directory and personal Microsoft accounts.
Actinomycete answered 18/6, 2022 at 17:54 Comment(0)
M
3

You can simply go to the portal Azure panel, open the Manifest section, and change the signInAudience's value from PersonalMicrosoftAccount to AzureADandPersonalMicrosoftAccount. If it doesn't exist, create both key and value.

Mythicize answered 18/6, 2023 at 15:59 Comment(0)
E
0

Just change default TokenEndpoint and AuthorizationEndpoint to endpoint displayed in Endpoints section in App registrations top menu

services.AddAuthentication().AddMicrosoftAccount(o =>
                    {
                        o.ClientId = clientId;
                        o.ClientSecret = clientSecret;
                        // For PersonalMicrosoftAccount, it has different endpoint
                        o.TokenEndpoint = "https://login.microsoftonline.com/consumers/oauth2/v2.0/token";
                        o.AuthorizationEndpoint = "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize";
                    });

because it just set to default value if not configured

public static class MicrosoftAccountDefaults
{
    public const string AuthenticationScheme = "Microsoft";

    public static readonly string DisplayName = "Microsoft";

    public static readonly string AuthorizationEndpoint = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";

    public static readonly string TokenEndpoint = "https://login.microsoftonline.com/common/oauth2/v2.0/token";

    public static readonly string UserInformationEndpoint = "https://graph.microsoft.com/v1.0/me";
}
Electrotechnics answered 19/8 at 7:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.