Microsoft account with MicrosoftAccountAuthenticationOptions does not seem to work

[YovavGad]

I understand Microsoft updated their APIs recently, I created a new app at https://apps.dev.microsoft.com

Application Id: 388e0946-5fa0-4143-8e7a-97141200f6a6
Password: obu****************************

Platforms: Web
Allow Implicit Flow: YES
Redirect URIs:
https://localhost:44300/ signin-microsoft
https://ufotoday.com/ signin-microsoft

Microsoft Graph Permissions: User.Read
Application Permissions: Profile

I did not use "generate new key pair" (not sure what is it for)

I know that before it was not possible to test on localhost, this is tested live on UFOToday.com, but I keep getting "access denied",

response_type=code seems suspicious, I would think code maybe replaced with something else (not sure) see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-permissions

I noticed that the name of the scope changed from wl.emails wl.birthday, so I'm just trying with what I saw in the example code "openid email profile" (otherwise it's breaking)

My code:

// https://account.live.com/developers/applications
// https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins

var microsoftAuthOptions = new MicrosoftAccountAuthenticationOptions();
microsoftAuthOptions.ClientId = currentPortalProviders.MicrosoftLiveClientId;
microsoftAuthOptions.ClientSecret = currentPortalProviders.MicrosoftLiveClientSecret;
microsoftAuthOptions.CallbackPath = new PathString("/signin-microsoft");

// See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
microsoftAuthOptions.Scope.Add("openid");
microsoftAuthOptions.Scope.Add("email");
microsoftAuthOptions.Scope.Add("profile");

microsoftAuthOptions.Provider = new MicrosoftAccountAuthenticationProvider()
{
    OnAuthenticated = (context) =>
    {
        context.Identity.AddClaim(new Claim("urn:microsoft:access_token", context.AccessToken));

        var expiryDuration = context.ExpiresIn ?? new TimeSpan();
        context.Identity.AddClaim(new Claim("urn:microsoft:expires_in", DateTime.UtcNow.Add(expiryDuration).ToString(CultureInfo.InvariantCulture)));

        if (context.Email != null) context.Identity.AddClaim(new Claim("urn:microsoft:email", context.Email));
        if (context.Id != null) context.Identity.AddClaim(new Claim("urn:microsoft:id", context.Id));
        if (context.Name != null) context.Identity.AddClaim(new Claim("urn:microsoft:name", context.Name));
        if (context.FirstName != null) context.Identity.AddClaim(new Claim("urn:microsoft:first_name", context.FirstName));
        if (context.LastName != null) context.Identity.AddClaim(new Claim("urn:microsoft:last_name", context.LastName));

        // Add all other available claims
        foreach (var claim in context.User)
        {
            var claimType = string.Format("urn:microsoft:{0}", claim.Key);
            var claimValue = claim.Value.ToString();
            if (!context.Identity.HasClaim(claimType, claimValue))
                context.Identity.AddClaim(new Claim(claimType, claimValue, "XmlSchemaString", "Microsoft"));
        }

        return Task.FromResult(0);
    }
};
app.UseMicrosoftAccountAuthentication(microsoftAuthOptions);

This is what I'm getting:

Request URL:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=388e0946-5fa0-4143-8e7a-97141200f6a6&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fufotoday.com%2F signin-microsoft &state=-LhKxD2fwHXxpUcr5oJWrQdXxe-mOJoKhW0U4UJZE6C7y8ALp5XHyz5OgDp8EDeIoVg4jLis-bayiQ-kU0GctuaGMT3ltbNPI7oRFdB_KhExHeLsy3a3WSLOUIOKDmq8exIxuc5nzgOCyHuLxoMvdZVk7DpsQ7Pc2BGiJKJ_GpBMXtlALCtsn7BHfVrT9IjlBLe0I0z66XS_XUub4W4OYA
Request Method:GET
Status Code:200 OK
Remote Address:23.100.32.136:443
Referrer Policy:no-referrer-when-downgrade

Request URL:https://login.live.com/oauth20_authorize.srf?client_id=388e0946-5fa0-4143-8e7a-97141200f6a6&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fufotoday.com%2F signin-microsoft &state=-LhKxD2fwHXxpUcr5oJWrQdXxe-mOJoKhW0U4UJZE6C7y8ALp5XHyz5OgDp8EDeIoVg4jLis-bayiQ-kU0GctuaGMT3ltbNPI7oRFdB_KhExHeLsy3a3WSLOUIOKDmq8exIxuc5nzgOCyHuLxoMvdZVk7DpsQ7Pc2BGiJKJ_GpBMXtlALCtsn7BHfVrT9IjlBLe0I0z66XS_XUub4W4OYA&login_hint=yovavgad%40gmail.com&ui_locales=en-US&display=page&uaid=aedea0ead6e94294a42ad04754ced973&issuer=mso&tenant=common&msproxy=1
Request Method:GET
Status Code:302 Found
Remote Address:131.253.61.96:443
Referrer Policy:no-referrer-when-downgrade

Request URL:https://ufotoday.com/ signin-microsoft ?code=Mde1a1f82-19ea-afb6-faed-6492578ef127&state=-LhKxD2fwHXxpUcr5oJWrQdXxe-mOJoKhW0U4UJZE6C7y8ALp5XHyz5OgDp8EDeIoVg4jLis-bayiQ-kU0GctuaGMT3ltbNPI7oRFdB_KhExHeLsy3a3WSLOUIOKDmq8exIxuc5nzgOCyHuLxoMvdZVk7DpsQ7Pc2BGiJKJ_GpBMXtlALCtsn7BHfVrT9IjlBLe0I0z66XS_XUub4W4OYA
Request Method:GET
Status Code:302
Remote Address:52.183.33.89:443
Referrer Policy:no-referrer-when-downgrade

Request URL:https://ufotoday.com/signup-connect?error=access_denied
Request Method:GET
Status Code:302
Remote Address:52.183.33.89:443
Referrer Policy:no-referrer-when-downgrade

Does it work for anyone else?

[Tratcher]

@kichalla does this look like what you just tested?

Have you enabled logging to see what the error was? I'd be curious to see what the cookie headers looked like for the ufotoday.com requests and responses.

[YovavGad]

Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T05:58:25.5599057Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T05:58:58.2207908Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T05:59:32.3959578Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:05:24.8723277Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value) at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.<AuthenticateCoreAsync>d__4.MoveNext() ProcessId=6156 DateTime=2017-04-08T06:05:53.8060717Z Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed System.ArgumentNullException: Value cannot be null. Parameter name: value at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:27:53.2208334Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:28:13.0852896Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:28:17.6501093Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:29:27.0164844Z
Microsoft.Owin.Security.Twitter.TwitterAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:29:27.7532943Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainRequestToken
ProcessId=6156
DateTime=2017-04-08T06:29:48.4572860Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainAccessToken
ProcessId=6156
DateTime=2017-04-08T06:30:14.4257449Z
Owin.Security.Providers.Yahoo.YahooAuthenticationMiddleware Verbose: 0 : ObtainUserProfile
ProcessId=6156
DateTime=2017-04-08T06:30:14.5240712Z
Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at Newtonsoft.Json.Linq.Extensions.Value[T,U](IEnumerable`1 value)
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=6156
DateTime=2017-04-08T06:31:03.3935372Z

[kichalla]

@kichalla does this look like what you just tested?

I verified it again now and it works for me. However, I verified it with the OOB MVC template and haven't done any customization.

[YovavGad]

@kichalla are you using a recent Microsoft account?
I wasn't able to find my old apps and had to create a new one with the details above,
Can you tell me if you're using the same settings?

Platforms: Web
Allow Implicit Flow: YES
Redirect URIs:
https://localhost:44300/ signin-microsoft
https://ufotoday.com/ signin-microsoft

Microsoft Graph Permissions: User.Read
Application Permissions: Profile

[Tratcher]

As a baseline, the MSA provider works if I only specify the ClientId and ClientSecret, no scopes required. My app does note have any Permissions specified either.

I see one small bug here with the e-mail:

AspNetKatana/src/Microsoft.Owin.Security.MicrosoftAccount/Provider/MicrosoftAccountAuthenticatedContext.cs

Lines 58 to 62 in b850cd8

	Email = PropertyValueIfExists("mail", userAsDictionary);
	if (Email == null)
	{
	Email = PropertyValueIfExists("userPrincipalName", userAsDictionary);
	}

It first checks for the "mail" entry, which is present but null, so it returns string.Empty. Then it checks if that value was null, which does not match string.Empty, so it does not proceed to get the real e-mail value from "userPrincipalName". This should be easy to work around by directly extracting "userPrincipalName" from the JObject User on the context.

var email = context.User["userPrincipalName"];
if (email != null) context.Identity.AddClaim(new Claim("urn:microsoft:email", email.ToString()));

Adding Microsoft Graph Permissions: User.Read doesn't seem to change anything. Profile does not appear to be an available Application Permission, Profile is the heading of the next config section.

Requesting scope "openid" breaks it because it does not get back an access_token, only an id_token. If you want to use this flow you'll need to use OpenIdConnect instead.

If I just specify the email or profile scopes then the login portal rejects them as invalid.

Summary: You don't need scopes, and there's a small bug we need to address with reading the e-mail.

[YovavGad]

Thanks @Tratcher, it works like you said, when not specifying scopes, but without the email.

Is it scheduled to be fixed on v4 only or before that?

This is my requests, just in case it can help to resolve the bug:

Request URL:https://login.live.com/oauth20_authorize.srf?client_id=388e0946-5fa0-4143-8e7a-97141200f6a6&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A44300%2Fsignin-microsoft&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ&login_hint=yovavgad%40gmail.com&ui_locales=en-US&display=page&uaid=67551f66c693422ebdb158c961e9264f&issuer=mso&tenant=common&msproxy=1
Request Method:GET
Status Code:302 Found
Remote Address:131.253.61.96:443
Referrer Policy:no-referrer-when-downgrade

Response:
Cache-Control:no-cache
Connection:close
Content-Length:0
Content-Type:text/html; charset=utf-8
Date:Thu, 13 Apr 2017 11:01:59 GMT
Expires:Thu, 13 Apr 2017 11:01:00 GMT
Location:https://localhost:44300/signin-microsoft?code=M3bd1b08f-2247-87e2-a77d-21ae9524fa50&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ
P3P:CP="DSP CUR OTPi IND OTRi ONL FIN"
Pragma:no-cache
Server:Microsoft-IIS/8.5
Set-Cookie:uaid=67551f66c693422ebdb158c961e9264f; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:MSPShared= ; HTTPOnly= ; domain=login.live.com;path=/;Expires=Thu, 30-Oct-1980 16:00:00 GMT
Set-Cookie:MSPCID=8c97e218c7fbd7f6; HTTPOnly= ; domain=login.live.com;path=/;Expires=Wed, 30-Dec-2037 16:00:00 GMT;secure=
Set-Cookie:WLOpt=credtype=1&act=[1];domain=login.live.com;path=/;Expires=Wed, 30-Dec-2037 16:00:00 GMT;secure=
Set-Cookie:SDIDC=CV5yF6wWxfqzfEa02F0JghrZfWIv24oyZDtBsxw3VJQw0sfI6M0q0GiQ7VaaLa!vgNCGdUXcwb61pdkU5kdAx83G9AocbFa9n1hYpMr2yCFV5RaQUAs01pPQCfNCUPHjNP5YU!bcspAmk!C0YMws$; expires=Wed, 30-Dec-2037 16:00:00 GMT;domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:PPAuth=CQEtjacVlSWzhNSwkLg97D3RvMSEAqAET0dUMwaMunpGQJZg5jz0xeXOjDAOw7Us9HfvhXte1RpOORlq5M74GloFBdM2k1NYwfLueF3JXkXteL5MJlvz9wK0U9sdfXS9mcvrfaD4Gj2BdyNGaj2iN0H!3EupIZnEfdOkpsUorKnruANhbexaxygaQfEdvwBFaBbgB4suejqcf9Ol8Pn1FexICcBaynNcX7fVvkH5xlMZL26Yg3ug4KAbyZ9VVCt0PuEE6N2pxOKq2DS2AXj4vEFoKGljtO!Ilrk!d2dPHanWBlD2C7UmgLuu!cMNQ$$; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie:MSPRequ=lt=1492081320&co=2&id=N; secure= ;path=/;HTTPOnly=;version=1
Set-Cookie:PPLState=1; domain=.live.com;path=/;version=1
Strict-Transport-Security:max-age=31536000
X-Content-Type-Options:nosniff
X-XSS-Protection:1; mode=block

Request URL:https://localhost:44300/signin-microsoft?code=M3bd1b08f-2247-87e2-a77d-21ae9524fa50&state=SDB5L_bidD9rUProhRLoDh7i34qovQF3v8xTUIbLL_dI3DfR9ncufoHhv-Fu3D8OTobsoSag5viiN_g_FFp8w4l3VXkUgdpxadRamxh0XLrm7aVa1gfwOaDGhwDwA-FVG4wH3ZU1UAF5ritIL619IMWp1-sSaLCgBC4uo4xkaHX26MuuTNYa5nFi3UmbI0hEPqTK1dWKJcrPEaEbBNZrlQ
Request Method:GET
Status Code:302
Remote Address:[::1]:44300
Referrer Policy:no-referrer-when-downgrade

Response:
cache-control:no-cache
content-length:0
date:Thu, 13 Apr 2017 11:01:59 GMT
expires:-1
location:/signup-connect
pragma:no-cache
server:Microsoft-IIS/10.0
set-cookie:.AspNet.Correlation.Microsoft=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
set-cookie:.AspNet.ExternalCookie=XJl6jmIuW1xUhg8bcCpWohAv_BuCuPf4yXSvyo0YrXINkHXGB2Tf654etijqcyj5VtGnnC9b530ePZ3n4YU0jwSy3FCCGAaM-oy5Fwctw1djurbSNFY7w-I062fQRsw0Mm-8UeHWQiUznw5eMVhr-zzmtlP4EG-flxSzaJUVgDOE1iOCPWjQEPCOQoARUIVD4ND3DciJvKWys2rd5k8h-kgNV41HOHTEvoKXllvYyhCH0lyLKlmJ5yYHHepOmaywbq9ZxTMQDPVVnlustwvP7ryOrR0LgwI17sWq_-Bhq8eh18mRd7pGGfEV43dQPkSyOEp9TVdwOMmFlNilwXvRcc0dTQnbeb6OeDsgoB_Gl13IhuaJlw0Yu36am962wOuISH2WnwrO6NPbcusdHSQ59GyNruNBHqgnRZnZvOlsLnhp7S4xwtX3mYvDjeIbO2yrM8ZKWw90UvtFAv_wDyiBJdzKYj9bOjn4k7uEvo4k4M7n6OptwloOXHKIhSz4y63qNpgUGTsMou0piI1x7Q-BLHHU22ULNB-VjogjVii1B6Tov1ONnXQBt2NSJzshilOYfK-T-Jw8l4lq2C6Ngil3CAobqa0MhdOHx89oJl9qlld0rn3vAX2Yk3EOYNmcvtM1Cvp8xDvo2tTbj0C2--yplFR_6qWm9npQkQFy7dsvk-Jm-waOsl3lt7tAuTrURegvYS9zCUZBueLIGQRCyXSjsrw46U-fInu9wp0J62PDDdyccwJm9j2jui92vrs0g_qoQNuYm-cVjjnsxbfN5wpQ6l-YXBe0maWBeOXICIsFep51J2_g0yP9Vh9mIEojIZWBU6oNIR-2X19md0QJ6jnzc997rZnHRNVmiavwq-IQTSjLA8KEqpK1sdKpiz4sSzceSPaFgLqoNvi7vAQNKVJM4f_DpOMUOp7y2iACnW5mpOyI0SPR_bkh-jE2bSqg9WDRwwgfIsumC95rhh2U6Lw5f_vAQRP7XRtAmptloT9pQtp9yTwhNnfAtvH07SkRcPmIIVREMcOkkwwiFUgxqjAugbUXy1gySyg5WPQeWUQiA5okmCl-oOBa9Dt7u7wP_6NEA5Nx_-rmKOxkvRsC2njMvUIk4wgvtoHGJrQK_ikYU-urnlMWfCurp36GjL-aR8RgT-I_I-HY_nHSuEROIZCn8Oex7TQaYO017XlWnGLlZ6Uzxl1kVNrbWesQXY8o5sOp7F5XZ9OIB-PxrrJLeMtOP6bq4ewVPbU3tLBARiQt2awM-IZgd05BxKCuoO2azW2RhAfthmcTUEYMTI4nzSRZp2fX6DbjXjiXGeDr-fj_61JEfcXUa9eiHLZmpFJAXd5RGJ0jWCgwiYJ1hm9ef8A_s2I5e0---bWgTtgZVPExiO4IN6X91g_H1M8bF9pQYt-XoIMDF7hteVOyuyekO0r0xvs76knZaIPMJSuzCi90KhDuRfLcehWGXzpSBm7m145zeL-ZjxbUK2gV8yGfWnf5wEd9IGUdfusBeu7NPTX9vOzLwVCshARgzUJR-TlSKlK0zRVi7PJNG6iukozW6sVTV8PrknKXfdk1c7EWBP0SXvrza1UXmXR2jEzPSZYj1lECtefAldmqoGMtbgySvFFiIcDtEa0sieV7HDSotLtgSkAjcXFb4I_54Bhb8gNV70fO7xVaVlg0qbCGbZPKXLcPBoafBEf_wmBERAAnnMuNxLGzp5qXUI243Hq0JCm_NDnKPLyMvV1fumEKbWQc3puACWy6ErgP203mW15o3PGxOipkG4nlgfEWLe6HwPcaxfCevcM9U_x5bhU4BYzCU5ANLUgzyN9KfmsmxSey75-DBYiqf2hDAWzvtpMBlMFSSA9OWDfFt-8jdlLNUZKfU1w-fkFRDFxRs9M_K9eoStUjUq1PmPCJCw99KxdWqkxDF2ajciEc0HJTVu6Ai2gvmfFqbw; path=/; secure; HttpOnly
status:302
x-powered-by:ASP.NET
x-sourcefiles:=?UTF-8?B?ZDpcUHJvamVjdHNcUG9ydGFsRW5naW5lXFNvdXJjZVxQb3J0YWxFbmdpbmUuV2ViXHNpZ25pbi1taWNyb3NvZnQ=?=

[Tratcher]

The next planned release is a 4.0 preview, I'll get this fixed by then.

[defr0zen]

Do you think it will be possible to ship this fix as an update for v3.1?

[Tratcher]

There is no update currently scheduled for v3.1 to include this in.

[solankisamir]

We recently upgraded to v3.1 the MSA nuget. For few of the Older Apps Sign-In flow is broken. New apps created using apps.dev.microsoft.com is working. Here is the request and response logs from the broken app.

curl "https://login.live.com/oauth20_authorize.srf?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ^&login_hint=samirsolanki^%^40outlook.com^&ui_locales=en-US^&display=touch^&uaid=d3a4a0de99d744339898b660532a5508^&issuer=mso^&tenant=common^&msproxy=1" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: CkTst=G1493470936131; wlidperf=FR=L^&ST=1493470940958; MSPAuth=3rcTqA3RTEXtqfBqjPM8lsSkPuz9tZs1HAHUTqZYBh5uKl7PjdvpvgmckfUgkDgZfBpxYtxnt9iPPZn4ylST271**t7tSow5Wzlg2I804HqjX2MNCWvKcfCfcRuKDeJfpTrG7yf^!I477uPzvUZ63paw^$^$; MSPProf=3WWv^!ZPV9HHtU5OesKp9ZidFWfB35ng5QCBj3XypRgqlAKCP7vU8WLFmRhIiYD8nefO1QBBq^!6Wwh8tTd0js0bpo9pxFrlWHLi8EWz0YCz^!9hgEBojpwpiedcdyt^!AhyH^!VzflWXlt7wcJF4euKjSQY9i9Gq1GRI84dmogEEtKWxlNaxZhPIdCvPLAxrhUsg67BdEEUUjJrUEpAOedjuVYHkOZWdEJ1; MH=MSFT; NAP=V=1.9^&E=135d^&C=rBC8b6WAw4Ya8XSL46FWW5pmXq8BBsLfjpH81TAeHxXJX1RBMTcb7w^&W=1; ANON=A=48F68EFA3850702622159956FFFFFFFF^&E=13b7^&W=1; LOpt=0; WLSSC=EgAxAgMAAAAEgAAADAABZbRSsEMxqH6HSpRNFBSjcvvZFgiGHKCwblLui9cIkXaBVmb2LfFWpuljc4x+pPzopICUHItQSFOc7w2DbhyvuAVdwhUlBzLK0bi5OitejDhgrwRB43Fbr8FMcIGLYazWjnMFXEzAjADtB8Qf2vABUF6co8880s57Td+yUIQXoRNTznqtTwI5wWpVCmUkM9ox11n0hF8Iq0L/RwXoqlimqR3gSO1bpuVyMlJeP6p8ELheMSax+bKNJuge4Dyr1PIhxWfm2E8aB9mBtMMlrit4aPysZlvWdLQsiwvK9NMyf+p0KBe3tGMqQJrVrvH2J8eCuNcYRA8UFxvGEXL2KBLJniABdAAgAf5/AwDvPEm33Y4EWd2OBFkQJwAAChCgACAZAHNhbWlyc29sYW5raUBvdXRsb29rLmNvbQBkAAAlc2FtaXJzb2xhbmtpJW91dGxvb2suY29tQHBhc3Nwb3J0LmNvbQAAAFdVUwAFOTgwMDcAAIwBQAkCAAB2Y21AEAZDAAVTYW1pcgAHU29sYW5raQRfAAAAAAAAAAAAAAAAAAAAAHNtVasIbPlDAADdjgRZ3TV7WQAAAAAAAAAAAAAAAA8AMTMxLjEwNy4xNTkuMTAABQEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAG1Befi827MFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; MSPPre=samirsolanki^@outlook.com^|086cf943736d55ab^|^|; PPAuth=CVbpD4nZQuKFWFc31ShtBDZNu122KOHs6UOKaLO^!X^!IEXfBI7aGprHX1nXktlNxDcAID1KAmIoZrE88QS45xauIFNiLWrbMkpaIo2FAvTrN3J9oz5gBE8NwdKHo1mFmSfYFsH2JgjFQPiaEtUkOKWYk5SxZmX9s4MQbkKP6l^!sulwTI0xbI*^!^!rbI**eAYIwbVkt4Se^!8vowGR1iNiwBTgAzMApmPY8B7KlIomOfp9Nxq^!YfwG01weZjkJAE1tv7dcAQofGvYE^!RmGcSd9p96^!CONC5T2PGB^!T78vN5nHqHWhMhq7meJg8Xbdhew^$^$; PPLState=1; MSPCID=086cf943736d55ab; WLOpt=credtype=1^&act=^[1^]; SDIDC=CdKgcbj0NG2ElT56GMk7F8MxaHZfFpXzQPZGSB8NA8yzeC2ROI6rDP^!oq0NuaFA4JyOu4Q2I6mrrk9YAOEbE0pQXB3DkygNK1dLM9IJO5w7DCf7Tz3CW10kRwQj0iukOEOEUrqlLupY2ovpmUHX9Y^$; uaid=d1db34990f3c4d28aade292265368ce1; MSPRequ=lt=1493472485^&id=N^&co=1" -H "Connection: keep-alive" --compressed &

curl "https://apiphany.portal.azure-api.net/signin-microsoft?code=M4037627b-2950-3ddb-cb56-e7966534bb6e^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: __RequestVerificationToken=ofhDFf6csJ-rZbIZD1Ppzhlee-Mwap-VWvidSSA994B0-h_ox9beypDzOGkK0E5jrO_VbGP2sIU4Bere9b-DAWrR64mz6AmOy-zDHLFyU1gc_XONySPrfE098IMV14t1XiUAmvFPrVsihKzrKCj0Dg2; .AspNet.Correlation.Microsoft=1i0UzWxMpFlfIadNdf-SnXsnJdqwFsg1AK2sWxsoyCI" -H "Connection: keep-alive" --compressed &

curl "https://apiphany.portal.azure-api.net/signin-callback?provider=Microsoft^&error=access_denied" -H "Accept-Encoding: gzip, deflate, sdch, br" -H "Accept-Language: en-US,en;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" -H "Referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=000000004811CB5F^&scope=https^%^3A^%^2F^%^2Fgraph.microsoft.com^%^2Fuser.read^&response_type=code^&redirect_uri=https^%^3A^%^2F^%^2Fapiphany.portal.azure-api.net^%^2Fsignin-microsoft^&state=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAWUHzHpTu5Ua4y7D5gayjWAAAAAACAAAAAAAQZgAAAAEAACAAAAAOhrolpl_Sqc5hfQmRn9-spbMbwsvPNvSwXSquyH31hwAAAAAOgAAAAAIAACAAAAApn5s6NRsO5BXtDGDq7djzrzv7ot0C4eVVoRVpMUg0TZAAAAC2YNfrlOGNX0e5QZJ50H6vTq6UJAyyNiUiNg0iSZakLMUTeKYCV0JMT4oEnLGOaTqiwCjmXiZKZdYDuFoSOLl2biNJnoELFqXyggWiZwTGZUHDhNm2npPqLHc4iAM49UkpftIBWxJSOMH_4yyO56HKUsI3n4hDsS0KlsHrjqjWvS79G0qvIAE2btj-4t0aAy5AAAAA42QIm735czdc0fk7I7mY7yUwlKcmInEDvWjYW1nv67TWaAvcdy9NTltn_uhewZmwCXXwNAJgMUgnvj1Qbi4APQ" -H "Cookie: __RequestVerificationToken=ofhDFf6csJ-rZbIZD1Ppzhlee-Mwap-VWvidSSA994B0-h_ox9beypDzOGkK0E5jrO_VbGP2sIU4Bere9b-DAWrR64mz6AmOy-zDHLFyU1gc_XONySPrfE098IMV14t1XiUAmvFPrVsihKzrKCj0Dg2" -H "Connection: keep-alive" --compressed &

[luronumen]

I am facing the same issue in my ASP.NET MVC projects after update the Microsoft.Owin.x nuget packages from v3.0.1 to v3.1.0.

I have opened this question on ASP.NET forum but no fix solution until this moment:
ASP.NET MVC 5 - Microsoft Account OAuth2 sign-on stop to work after update the Microsoft.Owin packages from v3.0.1 to v3.1.0

[psillar]

I am also facing this issue. I can't get the MS account auth to work even with no scopes. Whenever the client returns to the /signin-microsoft endpoint it redirects and returns the access_denied error. I've taken a look at the Katana.trace.log and see the following:

Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed
System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationHandler.d__4.MoveNext()
ProcessId=13864
DateTime=2017-06-16T06:00:23.0808494Z

That doesn't make sense - I cannot see any 400 errors (looking at fiddler all I see is 200s then 302s - in fact I can even see a 302 with /signin-microsoft?code=blah-blah so it looks like it should work!) until it redirects back to my GetExternalLogin page - then it's just the unhelpful access_denied error.

Is there any way I can see more of what's happening under the hood to find out the actual error? Or does anyone have any suggestions as to how to make this work? Thanks!

[Tratcher]

The 400 is happening on the backchannel. The server/middleware sends requests to microsoft to exchange the code and to get user information. To capture that traffic you can use a network level tracer like Message Analyzer https://www.microsoft.com/en-us/download/details.aspx?id=44226.

[ElisaDuma]

Hello

I have the same issue described in this topic. I used the workaround for email retrieve using "userPrincipalName" and it works. Still, I encounter another problems when having a gmail account which is linked to the Microsoft account(first gmail account is created). In the previous version (3.0.1) the provider was Google and now the provider is Microsoft (claims.Current.OriginalIssuer). The username(urn:microsoftaccount:name) in this case is not filled though the firstname and lastname are set in the Microsoft account:

2017-06-20T06:37:53 PID[9784] Information http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier c8XXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
2017-06-20T06:37:53 PID[9784] Information urn:microsoftaccount:id c8XXXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information urn:microsoftaccount:name
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:@odata.context https://graph.microsoft.com/v1.0/$metadata#users/$entity
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:givenName
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:surname
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:id c8XXXXXXXXXXXXXX
2017-06-20T06:37:53 PID[9784] Information urn:microsoft:userPrincipalName [email protected]

Is there

[psillar]

This should be easy to work around by directly extracting "userPrincipalName" from the JObject User on the context.

Could someone please clarify where I should be extracting the userPrincipalName? I'm currently doing it in the overridden Authenticated method of the custom Provider in my MicrosoftAccountAuthenticationOptions but that code doesn't get hit before I get an error...

[ShenglinGuo]

I do not know if following is the correct way of doing it, but it works for us. We just wanted the email address

var ms = new MicrosoftAccountAuthenticationOptions
{
AuthenticationType = "Microsoft",
SignInAsAuthenticationType = signInAsType,
ClientId = MSID,
ClientSecret = MSSecrete,
Provider = new MicrosoftAccountAuthenticationProvider
{
OnAuthenticated = (context) =>
{
//#48
var email = context.User["userPrincipalName"];
if (email != null)
{
context.Identity.AddClaim(new Claim("email", email.ToString()));
}
return Task.FromResult(0);
}
}
};
app.UseMicrosoftAccountAuthentication(ms);

[psillar]

Thanks @ShenglinGuo
I've just attempted to do it that way but, unfortunately, the OnAuthenticated code is never hit :(
I'll have to see if I can see any errors in the backchannel using Message Analyzer - that thing is confusing!

[AjmalVh]

Facing same issue here 😞

[psillar]

Turns out I had missed that the API has been updated (and v3.1 must use that updated version). Once I signed up for a new app account (https://apps.dev.microsoft.com) then it worked for me, with the workaround (haven't tried without).
It would be nice if it gave a more helpful error message. I spent days troubleshooting it and trying different approaches. It seems odd that it all works right up until the last step (i.e. you can get to the MS page and login without any kind of indication that you're using a v1 app on the v2 connection) - I think that was why it took me so long to realise. It really should produce an error earlier. Also would be nice if there was more documentation or some kind of notice letting users know that v3.1 uses the new API.

[YovavGad]

@psillar it may work for you if you're not trying to extract email information, that part doesn't work.

[psillar]

Oh, with the workaround it works for me - I get the email information that way or am I missing something?

[YovavGad]

Hi @psillar, I just tried it but it's not working for me, just to be sure, can you go to your bin folder and locate Microsoft.Owin.dll then right click it --> properties --> details --> file version - do you have 3.1.60405.82 ?

[psillar]

Hi @YovavGad, yes that's the version I'm using. I do the email capture a bit differently, however:

var email = context.User["userPrincipalName"];
if (email != null)
    context.Identity.AddClaim(new Claim(ClaimTypes.Email, email.ToString()));

[YovavGad]

This is what I was trying but my email comes out empty...

[psillar]

Ok, when I created the app credentials in apps.dev.microsoft.com I selected the 'email' Delegated Permission under Microsoft Graph Permissions. I'm not sure if that makes a difference?

[jamesbascle]

So, what's the deal with this? I'm having some trouble making this work at the moment - my request is being sent back to path /#error=access_denied.

This seems to happen after the execution of the OAuthAuthorizationServerProvider library where I call context.Validated(), but before it ever hits my WebApi code. I tried the OnAuthorized function as suggested by psillar and ShenglinGuo, but it doesn't seem to ever get called.

EDIT: Problem ended up being, ultimately, that I had to request User.Read, openid, email, and pull the email from that userPrincipalName, like psillar and ShenglinGuo suggested. Took downloading, compiling, and debugging into source to work that one out, but confirmed working on my app using the 3.1 version of the code/Nuget.

[Tratcher]

#89

[luronumen]

Hi @Tratcher

This issue is still reproducible after update the Microsoft.Owin.Security.MicrosoftAccount package of my visual studio project to v4.0.0-alpha1.

Do you think that we should open other issue for tracking it?

Here are more details about this issue:
ASP.NET MVC 5 - Microsoft Account OAuth2 sign-on stop to work after update the Microsoft.Owin packages from v3.0.1 to v3.1.0

Thanks in advance,
Luciano

[luronumen]

I have open the new issue #112 for tracking it.

[lukeeey]

What is the uaid?