IdentityServer4 and Azure AD - Getting blank page 404 to login.live after entering credentials

Question

I am trying to setup Azure AD as an external provider for IdentityServer4 in a development environment. Google and Facebook providers already are hooked up successfully. I'm directed to the login page on login.microsoft.com where I enter my login id and select an MS account, it then directs me to login.live.com as a blank page (404) instead of redirecting back to my IdentityServer instance.

I've tried a bunch of things but have had no luck.

Do I need to enable Enterprise Applications in Azure?

Am I missing something?

IdentityServer URL: http://localhost:5000

IdentityServer URL: http://localhost:47740

...
app.UseOpenIdConnectAuthentication(CreateAzureAdOptions(clientId, tenantId));
...

 public static OpenIdConnectOptions CreateAzureAdOptions(string clientId, string tenentId)
    {
        return new OpenIdConnectOptions
        {
            DisplayName = "Azure Active Directory",
            AuthenticationScheme = "Azure",
            ClientId = clientId,
            Authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}", tenentId),
            ResponseType = "id_token",
            Scope = { "openid" },
            SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,
            AutomaticChallenge = true,
            AutomaticAuthenticate = true,
            RequireHttpsMetadata = false,
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false
            }
        };
    }

Answer 1

This probably is related to the size of the url when returning from AAD. This is actualy a 404.15 IIS specific status code. If you have a lot of claims returned from your External identity provider (ie a profile image base64) then you will always hit the cap in url length HTTP Error 404.15 - query url too long RSS.

IdenitityServer4 has a topic in the docs that addresses this issue by using the distributed cache underneath. It is located under Sign-in with External Identity Providers - State, URL length, and ISecureDataFormat

Abstract:

Fortunately, IdentityServer provides an implementation of this for you, backed by the IDistributedCache implementation registered in the DI container (e.g. the standard MemoryDistributedCache). To use the IdentityServer provided secure data format implementation, simply call the AddOidcStateDataFormatterCache extension method on the IServiceCollection when configuring DI. If no parameters are passed, then all OpenID Connect handlers configured will use the IdentityServer provided secure data format implementation.