question

AdamBlankenship-4615 avatar image
0 Votes"
AdamBlankenship-4615 asked Hatch-4378 answered

Azure Ad WebApp MSGraph Value cannot be null

I'm running into an issue with AzureAd/Graph configuration between Azure and Local. I'm using Vs2019 .Net Core 5 Identity.Web 1.23 On local both in Visual Studio and stand alone exe. I am able to connect to Graph get my roles and details when the same code is deployed to the Azure Web App I get the follow.

Code: generalException Message: An error occurred sending the request. Value cannot be null. (Parameter 'headers') at Microsoft.Identity.Web.AppServicesAuthenticationInformation.GetIdToken(IDictionary2 headers) at Microsoft.Identity.Web.AppServicesAuthenticationTokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions) at Microsoft.Identity.Web.TokenAcquisitionAuthenticationProvider.AuthenticateRequestAsync(HttpRequestMessage request) at Microsoft.Graph.AuthenticationHandler.SendAsync(HttpRequestMessage httpRequestMessage, CancellationToken cancellationToken) at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken) at Microsoft.Graph.HttpProvider.SendRequestAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)<Microsoft.Identity.Web

The code in question

 //Startup.cs
 var initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
 services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
    
 JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
    
 services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
     .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
         .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
             .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
             .AddInMemoryTokenCaches();
 services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
 {
     options.TokenValidationParameters.RoleClaimType = "roles";
 });
 services.AddControllersWithViews(options =>
         {
             var policy = new AuthorizationPolicyBuilder()
                 .RequireAuthenticatedUser()
                 .Build();
             options.Filters.Add(new AuthorizeFilter(policy));
         }).AddMicrosoftIdentityUI();
    
 services.AddRazorPages()
       .AddMicrosoftIdentityUI();
    
 // Add the UI support to handle claims challenges
 services.AddServerSideBlazor()
    .AddMicrosoftIdentityConsentHandler();

 //And in the page itself
             var request = GraphServiceClient.Me.Request();
             userInfo = await request.GetAsync();


app.config for reference

   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
     "ClientCertificates": [
     ],
     "CallbackPath": "/signin-oidc",
     "SignedOutCallbackPath ": "/signout-callback-oidc"
   },
   "DownstreamApi": {
     "BaseUrl": "https://graph.microsoft.com/v1.0",
     "Scopes": "User.Read"
   },

Anything pointing me in a direction would be helpful, I have been stumped by this for a week now.











azure-ad-connectdotnet-aspnet-core-blazormicrosoft-graph-profile
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AdamBlankenship-4615

Thanks for reaching out.

Did you try to downgrade the Microsoft.Identity.Web nuget package from 1.23 to lower versions?

Thanks
Shweta


0 Votes 0 ·
Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered Bruce-SqlWork edited

Because azure is a webfarm, you can not use the In memory token cache. You need to use a distributed cache solution.

https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-6.0

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AdamBlankenship-4615 avatar image
0 Votes"
AdamBlankenship-4615 answered ShwetaMathur commented

I did find my issue, I changed the memory token cache which did not fix the issue.
My issue was related to the web app running under its own resource id

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AdamBlankenship-4615

Thanks for the update. Could you please update the solution in detail. So it would help other community members reading this thread.

Thanks,
Shweta

1 Vote 1 ·
Hatch-4378 avatar image
2 Votes"
Hatch-4378 answered

I was having this same issue as soon as I deployed the app to an Azure app service - took longer than expected to resolve but tracked it back to Microsoft.Identity.Web which, it turns out, uses the HttpContext to get the token. Short answer - turn on Settings > Configuration > General Settings > Web Sockets in the app service which will include the httpcontext information in the socket calls to your app and it should the null reference exception.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.