Azure AD OpenIdConnect federation using AddMicrosoftIdentityWebApp and .NET Core 3.1

Question

We are trying to set up federation to an Azure AD using OpenIdConnect in .NET Core 3.1.
But we get errors. We have search documentations but we have not found any good description on how to solve this fairly common task.
We are able to start the federation process, but it stops after the user has logged in and is redirected back to our server.
Then we get message.State is null or empty which probably implies that the Middelware is not able to interpret the response.

What are we doing wrong?

We are using
Microsoft.Identity.Web and the AddMicrosoftIdentityWebApp
More specifically, we are using this version of it:

authenticationBuilder.AddMicrosoftIdentityWebApp (Action<Microsoft.Identity.Web.MicrosoftIdentityOptions> configureMicrosoftIdentityOptions, Action<Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions>? configureCookieAuthenticationOptions = default, string openIdConnectScheme = "OpenIdConnect", string? cookieScheme = "Cookies", bool subscribeToOpenIdConnectMiddlewareDiagnosticsEvents = false, string? displayName = default);

The reason for that is that our client supports several federations to several ADFS servers. We must use a custom scheme name to not come in conflict with other federations.
Here is the relevant section from Startup.cs

        string tenantId = "<the Azure AD tenant Id>";
        string authenticationScheme = "myCustomScheme";
        string clientUrl = "https://myexampleclient.com/"
        authenticationBuilder.AddMicrosoftIdentityWebApp(options =>
        {
            options.ResponseMode = "fragment"; // We have tried "form_post", "query" and "fragment".
            options.Domain = new Uri(clientUrl).Host;
            options.Instance = clientUrl;
            options.TenantId = tenantId;
            options.ClientId = "<the clientId>";
            options.ClientSecret = "<the clientSecret>";
            options.CallbackPath = "/auth/landing/azuread";
            options.ResponseType = Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectResponseType.CodeIdToken;
            options.MetadataAddress = "https://login.microsoftonline.com/" + tenantId + "/v2.0/.well-known/openid-configuration"
            options.Scope.Add("openid");
            options.Scope.Add("profile");
            options.SignedOutRedirectUri = clientUrl + "auth/signout/";
        }, null, authenticationScheme, authenticationScheme + ".Cookies", true, "MyAzureAdTest");

And here is the code in the controller

    [Route("[controller]/openid/{name}")]
    public IActionResult OpenId(string name)
    {
        if(name == "azuread")
        {
            string returnUrl = "/auth/landing/azuread";
            string authenticationScheme = "myCustomScheme";

            var props = new AuthenticationProperties
            {
                RedirectUri = returnUrl,
                Items = { { "scheme", authenticationScheme } }
            };
            return Challenge(properties: props, authenticationScheme);
        }
    }

    [HttpPost]
    [HttpGet]
    [Route("[controller]/landing/{name}")]
    public async Task<IActionResult> Landing(string name)
    {
        // It never gets here..... instead the middleware throws an error.
    }

Answer 1

I have the same issue. Did you find a solution? @Vilhelm Heiberg

Answer 2

Did you find the solution? If yes please help me I am also having same problem.

Answer 3

Could it be, that the CallBackPath should be set to "/signin-oidc"?

As mentioned here:
https://github.com/dotnet/aspnetcore/issues/26932#issuecomment-709422116