Azure Active Directory always redirects to '~/.auth/login/done' when deployed to Azure despite working on localhost

Question

So I'm developing an ASP.NET Core app (.NET Core 2.0), hosted as App Service on Azure. I want to implement authentication with Azure AD, using a single tenant (so only account from our company). I actually added all necessary code, registered the app and configured everything in App Service (at least I think so) and it even works without any problems when I run it locally. The problem occur when I publish the app to Azure and try to log in there. Instead of being redirected to the view of my choice, I am being redirected to '~/.auth/login/done' and I see this: https://i.sstatic.net/gU3Vf.jpg

So as I said, I registered the app and added app url and reply urls, they look like this:

• [app_name].azurewebsites.net/.auth/login/aad/callback
• https://localhost:44359/.auth/login/aad/callback

I configured the app service itself in Authentication/Authorization section, with advanced settings. Currently the fields Client Secret and Allowed token audiences are empty. I don't want user to be authenticated right after he enters the website, but when he clicks a certain button, so I set "Allow anonymous requests(no action)". I added necessary code for it to work:

AccountController:

    [Authorize]
    [Route("[controller]/[action]")]
    public class AccountController : Controller
    {
        private readonly OmsIntegrationContext _context;
        private readonly IUserService _userService;

        public AccountController(OmsIntegrationContext context, IUserService userservice)
        {
            _context = context;
            _userService = userservice;
        }

        [HttpGet]
        [AllowAnonymous]
        public IActionResult LoginAzureAd(string returnUrl)
        {
            var redirectUrl = Url.Action(nameof(ChangeRequestController.Index), "ChangeRequest");

            return Challenge(new AuthenticationProperties { RedirectUri = redirectUrl },
                OpenIdConnectDefaults.AuthenticationScheme);
        }

        [HttpPost]
        [ValidateAntiForgeryToken]
        public async Task LogoutAzureAd()
        {
            if (User.Identity.IsAuthenticated)
            {
                await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
                await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
            }
        }

Startup.cs:

            services.AddAuthentication(x =>
                {
                    x.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    x.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    x.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    x.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                })
                .AddOpenIdConnect(options =>
                {
                    var azureAdConfig = Configuration.GetSection("AzureAd");

                    options.Authority = azureAdConfig.GetValue<string>("Instance") +
                                            azureAdConfig.GetValue<string>("Domain");
                    options.ClientId = azureAdConfig.GetValue<string>("ClientId");
                    options.ResponseType = OpenIdConnectResponseType.IdToken;
                    options.CallbackPath = azureAdConfig.GetValue<string>("Callback");
                    options.SignedOutRedirectUri = "https://appname.azurewebsites.net/";
                    options.TokenValidationParameters.NameClaimType = "name";
                    options.UseTokenLifetime = true;
                })
                .AddCookie()
                .AddSalesforceAuthentications(AuthConfigs);

            services.ConfigureApplicationCookie(x =>
            {
                x.Cookie.Name = ".SalesForce.Cookie"; //This isn't my code. Could this cause problems?
            });

Note: Generally salesforce auth is used in this project, Azure AD is supposed to function only for a certain module, for users who don't have SF account. It's not my idea, but I have to do that this way

appsettings.json:

  "AzureAd": {
    "ClientId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "TenantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "XXXXX.onmicrosoft.com",
    "Callback": "/.auth/login/aad/callback"
  }

What I want to achieve and what I have achieved when running on localhost is that when user enters the web app, he clicks a button, is authenticated with Azure AD using company account and the redirected to ~/ChangeRequest/Index. But I cannot make it work after deploy. I found similar issue here:

https://forums.asp.net/t/2155544.aspx?AAD+REPLY+URL+issue+signin+oidc+vs+auth+login+aad+callback+Azure+Government+

but the way this guy solved it is not an option for me. Any ideas?

Answer 1

I managed to fix the issue. Apparently one cannot configure this auth in App Service and in one's code at the same time. All I had to do was to turn off authentication on Azure Portal, in the Authentication/Authorization section of App Service. It's my first question on stackoverflow and I don't really know if should delete this question. If so, then please tell me.