2

I'm trying to use oauth to facilitate integration from an asp.net core app and filing bugs in Azure DevOps. I followed the guide: https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops using the asp.net core 3.0 middleware to configure oauth.

When I hit a page that's been marked with [Authorize], it properly redirects me to the devops auth page with the scopes I've requested, but when I authorize, it redirects me back to my server but has the error:

{"Error":"invalid_client","ErrorDescription":"Invalid client auth token."}

I've confirmed I'm using the right endpoints and the right client secret in my config.

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = "ado";
        })
    .AddCookie()
    .AddOAuth("ado", options =>
    {
        options.ClientId = "[AppId from devops]";
        options.ClientSecret = "[Client Secret from devops]";
        options.CallbackPath = new PathString("/signin-ado");

        options.AuthorizationEndpoint = "https://app.vssps.visualstudio.com/oauth2/authorize";
        options.TokenEndpoint = "https://app.vssps.visualstudio.com/oauth2/token";

        options.Scope.Add("vso.identity");
        options.Scope.Add("vso.work_full");

        options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "UserId");
        options.ClaimActions.MapJsonKey(ClaimTypes.Email, "EmailAddress", ClaimValueTypes.Email);
        options.ClaimActions.MapJsonKey(ClaimTypes.Name, "Name");
    });

        services.AddControllersWithViews();

Configure:

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });

The examples I found using oAuth with devops are from Asp.Net webforms, are there any for asp.net core?

(This is the full error)

An unhandled exception occurred while processing the request.
Exception: OAuth token endpoint failure: Status: BadRequest;Headers: Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Set-Cookie: VstsSession=%7B%22PersistentSessionId%22%3A%22f8e30b87-a6eb-470d-9ea2-ddf7b1f0dd84%22%2C%22PendingAuthenticationSessionId%22%3A%2200000000-0000-0000-0000-000000000000%22%2C%22CurrentAuthenticationSessionId%22%3A%2200000000-0000-0000-0000-000000000000%22%7D; domain=.visualstudio.com; expires=Mon, 16-Sep-2024 22:38:25 GMT; path=/; secure; HttpOnly
X-TFS-ProcessId: 98486e68-ccc8-4bc2-9907-f44cec26922a
Strict-Transport-Security: max-age=31536000; includeSubDomains
ActivityId: b0088e1b-d2d0-4788-8328-d97aeeecb447
X-TFS-Session: b0088e1b-d2d0-4788-8328-d97aeeecb447
X-VSS-E2EID: b0088e1b-d2d0-4788-8328-d97aeeecb447
Request-Context: appId=cid-v1:20b3930f-73dc-453a-b660-e3891d782eef
Access-Control-Expose-Headers: Request-Context
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: 9DC5A709B96D4D838858E4FC56797DE4 Ref B: WSTEDGE1017 Ref C: 2019-09-18T22:38:25Z
Date: Wed, 18 Sep 2019 22:38:24 GMT
;Body: {"Error":"invalid_client","ErrorDescription":"Invalid client auth token."};
Unknown location

Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
Improve this question
4
  • Have you added app.UseAuthentication(); on Configure function ? Commented Sep 19, 2019 at 9:00
  • Thanks, I added the configure section Commented Sep 19, 2019 at 15:43
  • @ScottFoster1000 was the issue fixed after added configure? You can posted this solution and mark it as answer for those who may encounter this problem too. Commented Sep 20, 2019 at 6:47
  • No, unfortunately that was just the configure section I already had. Commented Sep 20, 2019 at 16:15

2 Answers 2

Reset to default
0

If your Post for the authorization code was done via url encoded query string, You can try getting it done via the request body instead. You can refer to a sample here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The issue is that the parameters used in the OAuthHandler to exchange the authorization code for a token are different than those used in the Azure devops auth sample.

https://github.com/aspnet/AspNetCore/blob/master/src/Security/Authentication/OAuth/src/OAuthHandler.cs, line 179

https://github.com/microsoft/azure-devops-auth-samples/blob/master/OAuthWebSample/OAuthWebSample/Controllers/OAuthController.cs, line 74

You can work around this by creating your own handler that inherits from OAuthHandler and overrides the ExchangeCodeAsync method to use the paremeters from the sample.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.