Microsoft Account OAuth2 sign-on stop to work after update the Microsoft.Owin packages from v3.0.1 to v3.1.0

[luronumen]

I have updated the following Nuget packages from v3.0.1 to v3.1.0:

• Microsoft.Owin
• Microsoft.Owin.Host.SystemWeb
• Microsoft.Owin.Security
• Microsoft.Owin.Security.Cookies
• Microsoft.Owin.Security.Google
• Microsoft.Owin.Security.MicrosoftAccount

And after these updates the following issue is displayed when I try to authenticate using a Microsoft Account:

Correlation ID: 1a411cc0-446c-42bb-8659-cdd7dd9e6199
AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope wl.emails is not valid.

Important notes:

• This issue is only happening when I try to use a Microsoft Account for authenticating and there is no issue when I use a Google or Facebook account for authenticating it
• When I do the downgrade for the v3.0.1 the Microsoft Account authentication back to work again
• This issue is still reproducible on v4.0.0-alpha1 and the issues #48 and #89 did not fixed it

I have attached the Startup.Auth.cs class from the System for your better debuging.

For more details you can also check the ASP.NET MVC 5 - Microsoft Account OAuth2 sign-on stop to work after update the Microsoft.Owin packages from v3.0.1 to v3.1.0

[Tratcher]

In the 3.1 release all of the security packages were updated to use the latest APIs available from their respective providers. In this instance the MicrosoftAccount 3.0.1 package was using an obsolete API to authenticate users and was moved to a new API. The new API uses different values for Scope (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes). However, you don't need to specify any scopes to get the e-mail, you can remove that parameter.

There have been no changes to this behavior for 4.0.0. #48 was a separate issue.

[luronumen]

Hi @Tratcher

Thank you very much for your prompt reply!
Based on it I could identify where is the issue:

================================

Scenario 1 (v3.1.0 + Scope = { "wl.emails" })
Fail - AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope wl.emails is not valid.

================================

Scenario 2 (v3.1.0 + without Scope)
Fail - System.NullReferenceException on System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.Security.Claims.ClaimTypes.Email).Value

================================

Scenario 3 (4.0.0-alpha1 + without Scope)
Pass!

================================

I other words, I have to use the 4.0.0-alpha1 without any Scope for continue able to read email info from the Microsoft Account.

Is there any plan for release the final 4.0.0 version soon?

Feel free for close this issue as dup of #89

[Tratcher]

Yes 4.0.0 will be out soon, we're just waiting for feedback.

[luronumen]

Thanks @Tratcher

In other words, from now on, GoogleOAuth2AuthenticationOptions and MicrosoftAccountAuthenticationOptions do not need nothing more than ClientId and ClientSecret to the System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.Security.Claims.ClaimTypes.Email).Value has the user email account info.

Is there any possibility of FacebookAuthenticationOptions having similar behavior? Currently the Fields = { "email" }, Scope = { "email" } are required to the System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.Security.Claims.ClaimTypes.Email).Value
is not empty

,

[Tratcher]

@luronumen That's a good idea. Can you open a new bug so we don't loose track of it?

[luronumen]

Sure @Tratcher!

I just open the issue #113 for traking it.

Besides Facebook do you think it would be possible to do something similar for Twitter as well?

• app.UseTwitterAuthentication(new TwitterAuthenticationOptions { ConsumerKey = "MyConsumerKey", ConsumerSecret = "MyConsumerSecret" });

I noticed you have work to simplify Twitter email account here: #765

[Tratcher]

Twitter does not have it enabled by default because it has significant pre-reqs on their end. You have to contact support to enable it.

[luronumen]

I see. But I have set in my Twitter Apps the Access level to Read-only and Can request a user's email address option as well.

Is there something more that I have to do to have the user email associated with the Twitter account through the System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.Security.Claims.ClaimTypes.Email).Value?

Using app.UseTwitterAuthentication(new TwitterAuthenticationOptions { ConsumerKey = "MyConsumerKey", ConsumerSecret = "MyConsumerSecret" }); is returning System.NullReferenceException when I try to read the user email info through System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.Security.Claims.ClaimTypes.Email).Value

[Tratcher]

You also need RetrieveUserDetails = true

[luronumen]

it does not working.
app.UseTwitterAuthentication(new TwitterAuthenticationOptions { ConsumerKey = "MyConsumerKey", ConsumerSecret = "MyConsumerSecret", RetrieveUserDetails = true }); is returning the following compilation issue:

Error CS0117 'TwitterAuthenticationOptions' does not contain a definition for 'RetrieveUserDetails'

[Tratcher]

Sorry, I forgot which repo I was in. E-mail support was only added to ASP.NET Core. The hideous event code workaround should be similar for Katana. aspnet/Security#765 (comment)

[luronumen]

Thanks for the clarification @Tratcher

Is there any possibility to design something similar for the ASP.NET Framework by adding the RetrieveUserDetails property on TwitterAuthenticationOptions class as well?

Do you think it would be good we opened an issue for tracking it?

[Tratcher]

We're not planning significant feature work like this for Katana. Our current focus is bug fixes and keeping it up to date with external providers, dependencies, etc..

[luronumen]

I see. Okay then @Tratcher!

[yeimylorena]

4.0.0-Microsoft Account is compatible with Net framework 4.5.2?