Login/Out problem with Entra External ID (example BlazorWebAppEntra-.net9). Login succesful, logout with problem

[nefen]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I tried to follow this document:
Secure an ASP.NET Core Blazor Web App with Microsoft Entra ID
and test this example:
9.0/BlazorWebAppEntra

I can login without problem, but logout throws an exception.

I actually made no change to the sample code, just added AzureAD data in apsettings.json.
Even this was not an easy task. In the sample, the requested info inside apsettings.json are:

"AzureAd": {
    "CallbackPath": "/signin-oidc",
    "ClientId": "11111111-1111-1111-111111111111",
    "Domain": "qualified.domain.name",
    "Instance": "https://login.microsoftonline.com/",
    "ResponseType": "code",
    "TenantId": "22222222-2222-2222-222222222222"
  },

With this set of data, I coudln't login in Entra External ID. Finally, I find a very interesting aritcle:
ASP.NET Core authentication using Microsoft Entra External ID for customers (CIAM)
damienbod who stated the following apsettings.json data:

// -- using ciamlogin.com --
"EntraExternalID": {
    "Authority": "https://damienbodciam.ciamlogin.com/",
    "ClientId": "0990af2f-c338-484d-b23d-dfef6c65f522",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath ": "/signout-callback-oidc"
    // "ClientSecret": "--in-user-secrets--"
},

By following this pattern, I registered an app by using the following:

  "AzureAd": {
    "ClientId": "09e03b7f-7c63-4e7f-96bc-4787861dab20",
    "CallbackPath": "/signin-oidc",
    "Authority": "https://bustrack20241114tn.ciamlogin.com/",
    "SignedOutCallbackPath": "/signout-callback-oidc",
    //"PostLogoutRedirectUri": "https://localhost/",
    "ClientCredentials": [
      {
        "SourceType": "ClientSecret",
        "ClientSecret": "8Gt8Q~uVC_Kr19SQ0U5x3yJ54OZ3p4iJcBXPDb_u"
      }
    ]
  },

These are real data from my registered app to assist anyone who whish to try! This is a testing app and I will keep it (with the secrets) live for the next 15 days.

Expected Behavior

To login and logout without this problem:

parameter a = '{"error":"Internal Error: ServerData.urlRU was not specified.","userList":[],"postLogoutRedirectUriValid":false}'

when I press continue, then the following appear in the output window:

Uncaught TypeError TypeError: Failed to execute 'postMessage' on 'Window': The provided value cannot be converted to a sequence.
at _oX (logincdn.msftauth.net/16.000/content/js/MeControl_cysVI1AUwAea_LJc1LVFSA2.js:1:15546)
at (logincdn.msftauth.net/16.000/content/js/MeControl_cysVI1AUwAea_LJc1LVFSA2.js:1:15195)
--- setTimeout ---
at evt_MeControl_onload (logincdn.msftauth.net/16.000/content/js/MeControl_cysVI1AUwAea_LJc1LVFSA2.js:1:15141)
at (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:12198:11:12231)
at a (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:7668:11:8252)
at t (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:7668:11:8391)
at i (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:7668:11:8589)
at e (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:7668:11:8047)
at r (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:7668:11:8067)
at n.when (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:7668:11:8752)
at e.WhenLoaded (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:9430:11:10291)
at window.WhenAllLoaded (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:11984:11:12047)
at onload (login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct&wreply=https%3A%2F%2Fbustrack20241114tn.ciamlogin.com&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7062%2Fsignout-callback-oidc꞉11:12198:11:12205)

Steps To Reproduce

1. I clone the sample
2. I setup the app registration in my Entra (It is already done)
3. I updated appsettings.json
4. I run and proceeded to login with the following credentials (these also will be valid for the next 15 days):
   [email protected] hw3Gc590_
5. I select logout

app registration is

Exceptions (if any)

Uncaught TypeError TypeError: Failed to execute 'postMessage' on 'Window': The provided value cannot be converted to a sequence.

.NET Version

9.0.3

Anything else?

cc: @guardrex dotnet/blazor-samples#489

[nefen]

Dear @guardrex,

I really do not understand your reply:

1. You said you didn't test @damienbod's config. What does it mean? That I had to use the appsettings format as defined in the sample? I did it again (just to be sure) and I get the following error:

OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS500208: The domain is not a valid login domain for the account type.

I am trying to connect to **Entra External Id not Entra Id** .
2. I do not understand you comment regarding Secret. What is stated in the article is to improve security. For a repro situation is not important for me. Is it? Anyway for completness, I removed the secret from app registration and tested again with the exact appsettings.json as stated in the blazer-samples:
- I get the login screen
- I get the same error.
- So, I assume again that I can work with Entra External ID only with @damienbod's config.
3. What do you mean "set a front-channel logout URL"?
4. The problem is not the logout url stated in app registration (which actually redirects to the home page for an app restart). Actually, logout has not been completed at the time the error is thrown. If I break execution at the moment the error appears, the user is not logged-out. In the next program execution I have an automatic login. So, this is an error that happens locally, not because something is send back from the app login process.

In addition, if I press "continue" when the exception is thrown, app execution continues "normally" (as much as i can figure out). The user is logout and the app is restarted (as expected from the returnUrl supplied from authentication/logout.

With this set of data, I coudln't login in Entra External ID.

Assuming the client secret is applied per the article's guidance, the app runs normally here. Sign in works, and the app's sign-out behavior is simply to return the user to whatever app URL they were on via the returnUrl passed to authentication/logout.

I didn't test @damienbod's config, nor does the article prompt users to set a front-channel logout URL or use ID tokens.

[nefen]

Dear @guardrex,

Just I noticed that you actually couldn't login in Entra External ID. Strange. I just paste again the appsettings from my working solution (Secret is deleted):

  "AzureAd": {
    "ClientId": "09e03b7f-7c63-4e7f-96bc-4787861dab20",
    "CallbackPath": "/signin-oidc",
    "Authority": "https://bustrack20241114tn.ciamlogin.com/",
    "SignedOutCallbackPath": "/signout-callback-oidc"
  },

The underscore is part of the password ("[email protected]" "hw3Gc590_") .

[guardrex]

That's a new Microsoft service/tenant that I'm not familiar with yet. The product unit should be able to help. Stand-by here until they come on and advise further. We'll devise new documentation coverage to support ME-EID as soon as we can.

[MackinnonBuck]

Thanks for reaching out. Just to clarify, @nefen, app functionality continues working normally when continuing after the exception causes the debugger to break?

[nefen]

Thanks for reaching out. Just to clarify, @nefen, app functionality continues working normally when continuing after the exception causes the debugger to break?

My app continues without a problem (I haven't identified anything yet).

The exception is thrown during redirection to the screen, where the user selects (verifies maybe is more accurate) the account he wishes to logout. After pressing continue, the account to be logout can be selected. After the selection, the procedure continues and the user is logout.

After logout, my app automatically redirects to the login screen. If a new user logs in (or even the same), the app restarts without any identifiable problem.

[MackinnonBuck]

Thanks for reaching out. The exception is getting thrown from JavaScript in the Entra portal, so this isn't a problem with ASP.NET Core. The exception also doesn't impact app functionality (even though it causes the debugger to pause), so it can be ignored.

[dan-tatsenko]

Hi @MackinnonBuck
I have the same issue, and users have bad user experience:

I use MS Entra External ID as a CIAM for my web app (NET Core). When user clicks on the Logout link (<a asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut" asp-route-returnUrl="/">Logout</a>), Entra redirects to the built-in page where user is asked from what account they want to log out. Even if user selects account, the Entra redirects to the same question with no option to select, and there is no way to get to the root of the app.

I would appreciate any help
Dan