question

MatthewHolton-7574 avatar image
0 Votes"
MatthewHolton-7574 asked MatthewHolton-7574 answered

Blazor Issue Deploying to IIS using Azure Identity

Hello,

I am getting an error in my production environment after deploying my Blazor application. The error is.

Selected user account does not exist in tenant 'Default Directory' and cannot access the application 'dev_wasm_client_id' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

I am not sure why the application is trying to use all the development environment settings for Azure Identity or even where it is getting that information from.

Here is my setup:

  • prod_tenant_id: identifier of the production azure directory

  • prod_svr_client_id: identifier of the server application defined in azure

  • prod_wasm_client_id: identifier of the wasm application defined in azure

  • dev_wasm_client_id: identifier of the wasm application defined in azure (personal devops)

    appsetings.json (Server)
    {
    "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "prod_tenant_id",
    "ClientId": "prod_svr_client_id",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath": "/signout-oidc"
    },
    }

    appsettings.json (WebAssembly)
    {
    "ServerApi": "api://prod_svr_client_id/Access.API",
    "AzureAd": {
    "Authority": "https://login.microsoftonline.com/prod_tenant_id",
    "ClientId": "prod_wasm_client_id",
    "ValidateAuthority": true
    }
    }

ConfigureServices method in (Server App)
...


services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));

...

program.cs (wasm)

 static void ConfigureAuthentication(WebAssemblyHostBuilder builder)
 {
     IConfigurationSection webServiceApi = builder.Configuration.GetSection("ServerApi");
     builder.Services.AddMsalAuthentication(options=> {
         builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
         options.ProviderOptions.DefaultAccessTokenScopes.Add(webServiceApi.Value);
         options.ProviderOptions.Cache.CacheLocation = "localStorage";
     });            
 }

The authorization request looks like this:

https://login.microsoftonline.com/dev_tenant_id/oauth2/v2.0/authorize?
client_id=dev_wasm_client_Id
&scope=api://dev_svr_client_id/Access.API openid profile
&redirect_uri=https://www.mydomain.com/authentication/login-callback
&client-request-id={random_guid}
&response_mode=fragment
&response_type=code
&x-client-SKU=msal.js.browser&x-client-VER=2.8.0
&x-client-OS=&x-client-CPU=
&client_info=1
&code_challenge={hashed_value}
&code_challenge_method=S256
&nonce={random_guid}
&state={hashed_state}

I have no idea why this behavior is occurring.




windows-server-iisdotnet-aspnet-core-blazor
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MatthewHolton-7574 avatar image
1 Vote"
MatthewHolton-7574 answered

I figured out my issue. Wasm is cached locally in the browser. Evidently when I initially deployed and ran the application, I had the development settings in place and that was cached.

ctrl+f5 allowed me to force a refresh of the settings and everything is working now.

Thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.