[WinUI/UWP] Oidc Authentication wrapper problem with issuer/endpoints

[mezdelex]

Hi, as the title suggest, I'm having issues with the Oidc Authentication wrapper since the expected behavior of what it wraps is not as it should be, I guess.

For reference, I created a project with dotnet new unoapp -o Whatever -preset=recommended -platforms android ios --vscode.

I also followed this guide to add Oidc Authentication to the app: dotnet new unoapp

Then I have my appsettings.development.json like this:

{
  "AppConfig": {
    "Environment": "Development"
  },
  "Oidc": {
    "Authority": "https://login.microsoftonline.com/<tenantId>/v2.0",
    "ClientId": "<clientId>",
    "ClientSecret": "<clientSecret>",
    "RedirectUri": "msal<tenantId>://auth",
    "Scopes": [
      "user.read"
    ],
    "TenantId": "<tenantId>"
  }
}

With the necessary info filled.

And this is the LoginModel.cs:

using KatalystApp.Application.Shared;
using KatalystApp.Domain.Models;

namespace KatalystApp.Presentation.ViewModels;

public partial class LoginModel : BaseModel
{
    private readonly IAuthenticationService _authenticationService;
    public IAsyncRelayCommand Authenticate { get; }

    public LoginModel(
        IConfiguration configuration,
        IDispatcher dispatcher,
        INavigator navigator,
        IOptions<AppConfig> appInfo,
        IStringLocalizer localizer,
        Store store,
        IAuthenticationService authenticationService
    ) : base(configuration, dispatcher, navigator, appInfo, localizer, store)
    {
        IsLoading = true;

        _authenticationService = authenticationService;
        Authenticate = new AsyncRelayCommand(AuthenticateAsync);

        IsLoading = false;
    }

    private async Task AuthenticateAsync()
    {
        IsLoading = true;

        try
        {
            var isAuthenticated = await _authenticationService.LoginAsync(dispatcher: _dispatcher, credentials: new Dictionary<string, string>
            {
                { "Authority", _configuration["Oidc:Authority"]! },
                { "ClientId", _configuration["Oidc:ClientId"]! },
                { "ClientSecret", _configuration["Oidc:ClientSecret"]! },
                { "RedirectUri", _configuration["Oidc:RedirectUri"]! },
                { "Scopes", _configuration.GetSection("Oidc:Scopes")!.Get<string[]>()!.Aggregate("", (accumulator, next) => accumulator += $"{next};") },
                { "TenantId", _configuration["Oidc:TenantId"]! }
            }, cancellationToken: CancellationToken.None);

            if (isAuthenticated)
                // Msgraph?
                Store.UserName = "Obtener el nombre de MsGraph";
        }
        catch (Exception ex)
        {
            Store.UserName = ex.Message;
        }

        await GoToHome();

        IsLoading = false;
    }

    private async Task GoToHome() => await _navigator.NavigateViewModelAsync<HomeModel>(typeof(LoginModel));
}

And this is the code fragment that contains the login button at LoginPage.xaml:

<StackPanel Grid.Row="2" HorizontalAlignment="Center" VerticalAlignment="Top">
	<Button Content="Log In" AutomationProperties.AutomationId="LogInButton" Width="200" Command="{Binding Authenticate, Mode=OneTime}" Background="DarkMagenta" Foreground="White" />
</StackPanel>

Ok, the thing is that if I use a Oauth2 type of Authority /v2.0 in the appsettings, the login process returns:
"endpoint belongs to different authority" error
And if I use the Oauth type of Authority, the app registration at Azure by default, it returns the error:
"issuer name does not match authority"

In both cases, I cannot use the wrapper as it is since it needs to be added some workaround to bypass those problems.

My questions is, where and how should I handle this problem in a Uno Platform way?

I've seen workarounds like this from Stackoverflow:

var client = httpClientFactory.CreateClient();
       var disco = await client.GetDiscoveryDocumentAsync(
            new DiscoveryDocumentRequest
            {
                Address = "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/v2.0",
                Policy =
                {
                    ValidateIssuerName = true,
                    ValidateEndpoints = true,
                    AdditionalEndpointBaseAddresses = { "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/token",
                                                        "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/authorize",
                                                        "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/discovery/v2.0/keys",
                                                        "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/devicecode",
                                                        "https://graph.microsoft.com/oidc/userinfo",
                                                        "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/logout"
                                                      }
                },
            }
        );

Or setting "accessTokenAcceptedVersion": 2 in the app manifest, which I did, and in theory doing that together with Oauth2 type of Authority it should call the corresponding endpoints from https://login.microsoftonline.com/<tenantId>/v2.0/.well-known/openid-configuration but I get the same endoints not belonging error.

Any suggestion will be appreciated.

Thanks in advance.

[nickrandolph]

Hi @mezdelex, before we try to dig into how to adjust the Uno wrapper for oidc, are you able to get any of the oidc samples or a basic non-uno based application to authenticate? If you are, we should be able to use that to work out what we need to modify within uno.
The support for oidc within Uno is a wrapper around https://www.nuget.org/packages/IdentityModel.OidcClient. So long as we can get the OidcClient to work, we should be able to adjust the configuration within Uno.

[mezdelex]

So I added IdentityModel.OidcClient NuGet to the project and after adding some changes to the Policy as shown in the code below, it's not giving me any issuer nor endpoints errors anymore.

    private async Task AuthenticateAsync()
    {
        IsLoading = true;

        try
        {
            var client = new OidcClient(new OidcClientOptions
            {
                Authority = _configuration["Oidc:Authority"],
                ClientId = _configuration["Oidc:ClientId"],
                ClientSecret = _configuration["Oidc:ClientSecret"],
                Policy = new Policy
                {
                    Discovery = new DiscoveryPolicy
                    {
                        ValidateEndpoints = true,
                        ValidateIssuerName = true,
                        AdditionalEndpointBaseAddresses = _configuration.GetSection("Oidc:AdditionalEndpointBaseAddresses").Get<string[]>()
                    }
                },
                RedirectUri = _configuration["Oidc:RedirectUri"],
                Scope = _configuration["Oidc:Scope"]
            });

            var result = await client.LoginAsync();

            if (!result.IsError)
                Store.UserName = result.AccessToken;
        }
        catch (Exception ex)
        {
            Store.UserName = ex.Message;
        }
    }

Considering the issue, it would be necessary to expose at least these properties in the wrapper. I can't login yet because it threw no browser configured error, but that's another issue. I will keep the post updated with the complete process the moment everything works fine.