Microsoft Account OAuth2 sign-on fails when redirect URL is not under the website root

[rxd2]

For example, https://my.site.com/signin-microsoft works but https://my.site.com/myapp/signin-microsoft does not.

GetOwinContext().Authentication.GetExternalLoginInfo() returns null. Callback URL contains error=access_denied parameter. Tracing shows Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationMiddleware Error: 0 : Authentication failed messages.

This is broken in 4.0.0, starting with 3.1.0.

Reproducible both with localhost and the actual domain name.

[shahriarhusainy]

Scenario:

The application root is https://localhost/OwinFbDemo

Suppose https://localhost/OwinFbDemo/securepage is authenticated. https://localhost/OwinDemo/Auth/LoginFB points to the following action method under AuthController.cs:

public ActionResult LoginFB()
{
	HttpContext.GetOwinContext().Authentication.Challenge(new 
		Microsoft.Owin.Security.AuthenticationProperties {
			RedirectUri = "/securepage"
		}, "Facebook");
	return new HttpUnauthorizedResult();
}

The issue is that after successful login through Facebook it will redirect to https://localhost/securepage instead of https://localhost/OwinFbDemo/securepage

[Tratcher]

You're able to work around it by setting RedirectUri = "/OwinFbDemo/securepage", correct?

The awkward bit is that if we fixed it anybody that had used this workaround would break.

[shahriarhusainy]

That worked. Thanks!

[rxd2]

The issue that shahriarhusainy described has obviously nothing to do with the issue I reported. Tratcher, did you have a chance to verify and/or take a look at what's going on?

Just to be clear, I don't manually set RedirectUrl. it's just that because my app is hosted not under the website root, but under virtual directory.

Thank you!

[Tratcher]

Virtual directory or sub application? They behave quite differently.

[rxd2]

Sub application, sorry

[Tratcher]

The error=access_denied parameter is fishy, that would be coming from the external MSA server. It sounds like an app registration problem in MSA.

[rxd2]

Not sure what you mean by "fishy". I just created a new application, under a different microsoft account. I have exactly the same problem. Works perfectly with https://localhost:44300/signin-microsoft. Fails with https://localhost:44300/booking/signin-microsoft. Is that a limitation of MSA? What can I do to help diagnose/fix this?

[muratg]

@rxd2 your issue seems to be a dup of #212, not this one.

@shahriarhusainy glad your issue is resolved, thanks @Tratcher!

Closing this one.

[rxd2]

@muratg I don't agree, it's not a dup. #212 is maybe similar but not quite the same, My application does work with 4.0,0 as long as the redirect URL is a website root.

[muratg]

@rxd2 please file a separate issue as your issue doesn't seem to be related to this one either.

[rxd2]

@muratg Excuse me? It is my issue, I created it. How can it possibly be not "related to this issue"?

[muratg]

@rxd2 you're right, my apologies. @shahriarhusainy's issue was unrelated.

[rxd2]

@muratg No problem, thank you!