Azure
Custom OpenIdConnectProviders is broken in 1.1.8
Before filing this issue, please ensure you're using the latest CLI by running swa --version and comparing to the latest version on npm.
Are you accessing the CLI from the default port :4280 ?
- [ ] No, I am using a different port number (
--port) and accessing the CLI from that port - [x] Yes, I am accessing the CLI from port
:4280
Make sure you are accessing the URL printed in the console when running
swa start!
ℹ️ NOTE: Make sure to enable debug logs when running any swa commands using --verbose=silly
Describe the bug
When using custom identify providers with OpenID Connect, we should be able to login using the URL
/.auth/login/
To Reproduce Steps to reproduce the behavior:
- Create a new swa project from scratch
- Add
staticwebapp.config.jsonfile with below content in it.
{
"auth": {
"rolesSource": "/api/my/roles",
"identityProviders": {
"customOpenIdConnectProviders": {
"aadb2c": {
"registration": {
"clientIdSettingName": "AADB2C_PROVIDER_CLIENT_ID",
"clientCredential": {
"clientSecretSettingName": "AADB2C_PROVIDER_CLIENT_SECRET"
},
"openIdConnectConfiguration": {
"wellKnownOpenIdConfiguration": "https://AADB2C_PROVIDER_ISSUER_URL/.well-known/openid-configuration"
}
},
"login": {
"nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"scopes": [ "openid", "profile" ],
"loginParameterNames": []
}
}
}
}
}
}
- start the app using
swa start - Go to http://localhost:4280/.auth/login/aadb2c
Expected behavior
Should get the emulator login screen with the provider name as aadb2c
Screenshots
Desktop (please complete the following information):
- OS: Windows
- Version 10
- Node Version 18
- SWA Cli version: 1.1.8
I'm also getting this with aadb2c auth. Downgrading to 1.1.7 fixes it.
"auth": {
"identityProviders": {
"customOpenIdConnectProviders": {
"aadb2c": {
"registration": {
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientCredential": {
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
},
"openIdConnectConfiguration": {
"wellKnownOpenIdConfiguration": "https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1_sign_in/v2.0/.well-known/openid-configuration"
}
},
"login": {
"nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"scopes": ["openid", "profile"],
"loginParameterNames": []
}
}
}
}
},
Edit to add:
A gotcha here is that you also need to change your registered callback URLs in your b2c configuration portal. if you change to aadbc like i did then your new callback uri should reflect that ie. https://mycoolapp.microsoftwhatever.net/.auth/login/aadbc/callback
Another gotcha is that it can take an arbitrary amount of time for Azure to update their redirect caches. This may lead one to an hour of work trying to figure out what they did wrong because aadb2c will report redirect_uri_mismatch errors even after you update your redirect configurations in the portal.
If you use User Flows then for some reason running the "Test User Flow" clears up this issue and your new callbacks will work. /shrug
I actually just ran in to this. This appears to be because of a difference in the expectations of the emulator's code and what the "documentation" suggest.
This issue is that these regex only parse for [a-z] and your custom provider is named "aadb2c" Which is what this documentation explicitly suggests.
if you change the name to something those regex can parse like "aadbc" it should work. You will need to change it everywhere in your staticwebapp.config.json.
ie:
{
"auth": {
"identityProviders": {
"customOpenIdConnectProviders": {
"aadbc": {
"registration": {
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientCredential": {
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
},
"openIdConnectConfiguration": {
"wellKnownOpenIdConfiguration": "https://xxx.b2clogin.com/xxx.onmicrosoft.com/B2C_1_xxx/v2.0/.well-known/openid-configuration"
}
},
"login": {
"nameClaimType": "emails",
"scopes": ["openid", "profile", "offline_access"],
"loginParameterNames": []
}
}
}
}
},
"navigationFallback": {
"rewrite": "/index.html",
"exclude": ["/public/*"]
},
"routes": [
{
"route": "/sign-in",
"redirect": "/.auth/login/aadbc"
},
{
"route": "/sign-up",
"redirect": "/.auth/login/aadbc"
},
{
"route": "/logout",
"redirect": "/.auth/logout?post_login_redirect_uri=sign-in"
}
...
],
"responseOverrides": {
"401": {
"statusCode": 302,
"redirect": "/.auth/login/aadbc?post_login_redirect_uri=.referrer"
}
}
}
@aoscodes I can confirm this as well. After the 1.1.8 update, it seems that numerical characters are no longer valid and only [a-z] works. I was able to "fix" the issue by changing the provider key in my staticwebapp.config.json from auth0 to authzero and then navigating to /.auth/login/authzero instead.
Downgrading to 1.1.7 is the workaround for now I suppose. StaticWebApps still appears to work in production, just not the emulator.
@aoscodes for reference to others who use aadb2c as customOpenIdConnectProviders and see when developing locally after a redirect:
We couldn't find that page, please check the URL and try again.
I believe previously b2c was part of the docs with the naming of "b2c" as a proposed way to configure the authentication. Example projects
Can confirm that this still happens with 2.0.1. Custom identity providers with numerical names are not supported. Affected by regex here. Solution was to rename the connector name from b2c to btoc 🙄
Any updates on when this is going to be fixed? It seems the changes were reverted before and re-applied after 2.0.2: https://github.com/Azure/static-web-apps-cli/commit/ec3894989eec0b22dea3cfcfb6972efaf111ae3b
Hi @Skleni we are prepping for a new release soon. It was reverted for v2.0.2 release for a critical change due to a deprecation. Please stay tuned for v2.0.3 soon :)
Still not fixed as of 2.0.4 😕 This issue should probably be reopened
