I am getting a "Bad Request" HTTP Error 400 after successful login with the Azure AD with the URL in the address bar showing a long code preceded by "code/" and ending with session state details.

Recently I came across OneNote javascript library (adal.js and angular-adal.js) which I was able to get working on my DNN website. The only issue that I have with it is that the user is presented with a login button to sign in to Azure which makes little to no sense when they signed in with Azure AD in the first place.

I did notice that when I sign in using Azure AD provider I get AzureUserToken. I suppose I have two questions:

1. Can I use AzureUserToken (oauth_token part of cookie value) to request data from various APs (Graph, OneNote, OneDrive, Share Point, etc.)?

2. And if I can how can I realise this in DNN (web service)?

As per many tutorials and sample apps, I have been trying to use HttpClient with Authorization header while supplying the AzureUserToken. But no matter what I try I am not able to get any response once the request is sent. So my application just sits there waiting for a response.

At this stage, I came to one of two conclusions. Either I am doing something wrong, like sending requests to the wrong Uri or failing to include additional headers. Or I need to do something with the AzureUserToken before I can request data (from OneNote in this case).

Here is a snipet of my HttpClient that I am trying:

private static HttpClient client = new HttpClient();
// two examples of attaching Authorization header to the request
// where token is oauth_token part of AzureUserToken
//client.DefaultRequestHeaders.Add("Authorization", string.Format("Bearer {0}", token));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

HttpResponseMessage response = await client.GetAsync(path);
if (response.IsSuccessStatusCode){
    var resp = await response.Content.ReadAsAsync<OneNoteResponse>();
    if (resp.value != null) {
        notebooks = resp.value.ToList();
    }
}

Hello,

I have had the module working well in prod for a while. Last time I tried in April it was working but now (July) it doesnt. I tried upgrading to the latest version 4.1.0 but no change. I am able to authenticate on Azure but when redirected back to DNN it throws an error (see below).

I tried installing on a fresh 9.8.1 installation and using the localhost domain it all worked. When I moved the fresh install to prod and used a custom domain the error came back.

Appreciate any help.

We are are on DNN 9.5. This error triggers when updating the settings. Please advise.

I can not load the ADD login interface through the login page. I am receiving the following error and I found it on the AdminLog page.

Why I am receiving this error? Please, help.

Claim 'upn' was not found on the token. Available claims are: , aud, iss, iat, nbf, exp, acr, aio, amr, appid, appidacr, email, family_name, given_name, idp, ipaddr, name, oid, rh, scp, sub, tid, unique_name, uti, ver

What and where I have missed?
Appreciate your support.

Thank you!

In the same way the Azure AD B2C module supports extensibility to allow custom token validations, implement this extensibility in the same way.

I recently upgraded our development environment to DNN version 9.10 and after I receive the following error when navigating to the login screen:

System.TypeLoadException: Could not load type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' from assembly 'System.IdentityModel.Tokens.Jwt, Version=4.0.20622.1351, Culture=neutral, PublicKeyToken=31bf3856ad364e35'

.

The current implementation of the provider doesn't have the logout option. It should be fine to have, so that we can invalidate the authorization token.

From a different issue, I saw the problem with users not being authorized when they first sign in. This certainly created a confusing experience for me, and I'm sure others. Also, it adds a lot of administrative work.

Is there a way to automatically authorize new Azure users?

Hello,

I'm working on a DotNetNuke 9.01 Site and I worked with my IT Department on configuring the add-on based on the instructions provided. The problem is that I'm unable to login via Azure as I get the error listed in the title. I'm unable to find where to find the replyUrls section in the code for the site. Can you illuminate how to resolve this issue?

Sincerely,
David B. "Red" Donaldson.

I ran into a problem signing in users when I tried to leverage multi tenant configuration in Azure AD.

I can still sing in users from my original tenant where I created my App/API without any issues. But as soon as I try to signin with a user from any other tenant I run into a problem.

RawUrl:/Login?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLUu25ZYGjYBi5qRj0Gm4O7mMLuKLs5bAgBgyjqDFj-hhjHACeXaJmYwIx7B25GzvKKLvhuehMzLVEFd50uj7o45GpO0EXgBNlQEp1tVbiuAnRY8VtNHM1VbUdxZ-fU8db_dQMwecibxU0UQNMyagVFhv--3Tbe7_MTC0oon9Z2t6CM5FGvX3yTuL9x92x6OR1__OYat47FR2_MgyslUFpDrcoWn7
Message:There was an error processing the credentials. Contact your system administrator.
InnerStackTrace:
   at DotNetNuke.Authentication.Azure.Components.AzureClient.GetToken(String responseText)
   at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.ExchangeCodeForToken()
   at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.AuthorizeV2()
   at DotNetNuke.Services.Authentication.OAuth.OAuthLoginBase.OnLoad(EventArgs e)
   ...

Looking at AzureClient.GetToken the exception is thrown when responseText is either null or an empty string. And the method seems simple enough too.

I looked over OAuthClientBase.AuthorizeV2 and OAuthClientBase.ExchangeCodeForToken but nothing jumped out at me.

Do you have any plans to allow for multi tenant scenarios?
Or is it even possible?

After logging in with Azure AD I am experiencing the same issue described here: https://social.msdn.microsoft.com/Forums/azure/en-US/4192e141-309a-4dd6-a5c9-f1a8ce32f4ca/aadsts54005-oauth2-authorization-code-was-already-redeemed?forum=WindowsAzureAD

Hi,
Love your plugin and we really needed this plugin for our websites. We hope you can help us with the following issue.
We have one DNN installation in which we host different portals.
When a user is logged into one webportal, this is without problems.
When the same user tries to log to a second webportal using the same credentials, this gives the following errormessage: "This username is already in use. Please register with another username."
So the user can only login to one portal, logout, and login to the other portal. And not login to two or more portals the same time.
DNN 9.04.00 and Azure Active Directory Provider 3.1.0
Hope you can fix this!

It says it succeeded, but this exception kicks and the roles do not pull down to DNN.

Starting Azure AD Synchronization Error while synchronizing the roles from portal 0: System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory, Version=5.0.5.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified. File name: 'Microsoft.IdentityModel.Clients.ActiveDirectory, Version=5.0.5.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' at DotNetNuke.Authentication.Azure.Components.Graph.GraphClient..ctor(String clientId, String clientSecret, String tenant) at DotNetNuke.Authentication.Azure.ScheduledTasks.SyncSchedule.SyncRoles(Int32 portalId, AzureConfig settings) WRN: Assembly binding logging is turned OFF. To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1. Note: There is some performance penalty associated with assembly bind failure logging. To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog]. Azure AD Synchronization finished successfully

DNN 9.9.0
DDN Azure AD Provider 4.0.4

Hi @davidjrh ,
I set private registration on my portal. It's work properly because not existing users are created with no authorization (new setting from v4.0.4). They receive the message about admin authorization and close the browser window.
Admin authorize the user, the user open browser window, go to site and the site ask immediatly to choose login account without click on button. It happens on Chrome, Firefox and Edge

Is correct? If yes, can you explain me why?

PS: I've tried to power off the PC but no way to click on button. It's seems browser keep something persistent...

Within the DNN Extensions screen, the column for version upgrade shows that there is a newer version number out for the authentication provider (see screenshot). Is that a mistake in the version number listed?

The current claim mapping is done by the complete claim value, but would be interesting to support string operations such as concatenation of claims and strings, etc. Now that Power Fx language is Open Source, would be interesting to explore that way.

https://www.youtube.com/watch?v=SsJBrZ7YuhU

From a quick look at the code it looks like this provider is using Azure Active Directory Authentication Library (ADAL). Microsoft is deprecating ADAL with support ending June 2022 and recommending apps migrate to Microsoft Authentication Library (MSAL).

If it is the case that the provider is using ADAL, are there plans to migrate to MSAL? We have some development capacity but do not wwant to duplicate effort if this is already in hand.

I've followed the instructions and when I attempt to login with Azure, I'm sent to the Azure AD sign-in page, I successfully sign in and am redirected back to DNN but in DNN, I'm not actually signed in as far as the UI goes. If I check the log in DNN, it shows a successful login by the Azure user account. Any idea what I'm missing in the setup or what is wrong?

Thanks!

I have been trying to make this work with AzureB2C and seem to be getting very close, but not quite. I think it is actually trying to auth against the AzureAD accounts that I'm using behind AzureB2C. AzureB2C seems to be a good way to centralize various other auth-providers to DNN.

Any feedback, suggestions appreciated.

AbsoluteURL:/Default.aspx
DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNuke
ExceptionGUID:3be21ae4-2792-423b-ab8d-8f12c4e17973
AssemblyVersion:9.1.0
PortalId:0
UserId:-1
TabId:20
RawUrl:/Login?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzeJ8qSXMFfaW-akK3ARO0RGCbFsWoXdljevMDfRp9yWneSQb_oXP24_vfNSYUDNrFh-o09ILH1znhPhnRs3qlz4aNlr53YEp88E39gLwKKE7fOTWq1NFU9HECb7IoVTYuLOBte2h6UsbUlWX7FCYpGD1Cq7KXms03wnDj8q3OUbDNaat0NVCqwY_J77LgKPKjshjN6vh7ZKzC9g89I9VCO4ai
Referrer:http://msaf.azurewebsites.net/Login?returnurl=%2fDefault.aspx%3ftabid%3d20%26error%3dAn%2520unexpected%2520error%2520has%2520occurred
UserAgent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
ExceptionHash:krzLKsOKjfdgw1YJ8JwM/1nRH68=
Message:There was an error processing the credentials. Contact your system administrator.
StackTrace:

InnerMessage:There was an error processing the credentials. Contact your system administrator.
InnerStackTrace:
at DotNetNuke.Authentication.Azure.Components.AzureClient.GetToken(String responseText) at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.ExchangeCodeForToken() at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.AuthorizeV2() at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.Authorize() at DotNetNuke.Services.Authentication.OAuth.OAuthLoginBase.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Source:
FileName:
FileLineNumber:0
FileColumnNumber:0
Method:
Server Name: RD0003FF6487C1

I keep getting this error when I attempt to login to my site from Azure AD. However, I believe there to be an issue with syncing users over from Azure AD to my site. Does this app do it automatically or do I have to manually create all my users in my site and what settings do I need to do to tie each user to its Azure AD account?

• DNN v9.9
• Using Xcillion skin

I'm running into the following error when redirecting to the AuthorizationEndpoint from AzureClient.cs. Has anyone seen this one before? Any ideas?

2021-04-13 12:56:07,517 [etg65][Thread:16][FATAL] DotNetNuke.Framework.PageBase - An error has occurred while loading page.
System.Web.HttpException (0x80004005): Server cannot append header after HTTP headers have been sent.
   at System.Web.HttpResponse.AppendHeader(String name, String value)
   at System.Web.HttpResponseWrapper.AddHeader(String name, String value)
   at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.GetFormInputElement(HttpContextBase httpContext)
   at System.Web.Helpers.AntiForgery.GetHtml()
   at DotNetNuke.Framework.ServicesFrameworkImpl.RegisterAjaxAntiForgery(Page page)
   at DotNetNuke.Framework.PageBase.OnPreRender(EventArgs e)
   at DotNetNuke.Framework.DefaultPage.OnPreRender(EventArgs evt)
   at System.Web.UI.Control.<PreRenderRecursiveInternalAsync>d__249.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Util.WithinCancellableCallbackTaskAwaitable.WithinCancellableCallbackTaskAwaiter.GetResult()
   at System.Web.UI.Page.<ProcessRequestMainAsync>d__523.MoveNext()
2021-04-13 12:56:07,548 [etg65][Thread:16][TRACE] DotNetNuke.Web.Common.Internal.DotNetNukeHttpApplication - Dumping all Application Errors
2021-04-13 12:56:07,548 [etg65][Thread:16][FATAL] DotNetNuke.Web.Common.Internal.DotNetNukeHttpApplication - System.Web.HttpException (0x80004005): Error executing child request for /ErrorPage.aspx. ---> System.Web.HttpException (0x80004005): Server cannot set content type after HTTP headers have been sent.
   at System.Web.HttpResponse.set_ContentType(String value)
   at System.Web.UI.Page.SetIntrinsics(HttpContext context, Boolean allowAsync)
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride)
   at System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride)
   at System.Web.HttpServerUtility.Execute(String path, TextWriter writer, Boolean preserveForm)
   at System.Web.HttpServerUtility.Transfer(String path, Boolean preserveForm)
   at System.Web.HttpServerUtility.Transfer(String path)
   at DotNetNuke.Framework.PageBase.OnError(EventArgs e)
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.<ProcessRequestMainAsync>d__523.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Util.WithinCancellableCallbackTaskAwaitable.WithinCancellableCallbackTaskAwaiter.GetResult()
   at System.Web.UI.Page.<ProcessRequestAsync>d__515.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.UI.Page.<ProcessRequestAsync>d__554.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.TaskAsyncHelper.EndTask(IAsyncResult ar)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Hi, looking for tiny bit of help with this one.

After I had no joy with an existing installation (upgraded to 7.4.2) I've setup a clean 7.4.2 installation on my dev server. I then installed Azure Provider 1.0.1 and configured it with relevant Azure AD endpoints. At this stage I get Login with Azure button which redirects me to my portal where I login. When I am redirected back I get an exception and no login.

TabId:55

RawUrl:/Login?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLX5sMXzAHCesPzNYN5YkcQKQq5V2Id8uzfKhP-7PeAz27qIPniM3xwTBkjvregiRW6W-b3LxT-FRYs1mCmg20BmptXfXVSPARfWhTjLI8N6-nXhUy58l6ivSe24NU7ZQ7QQYj3oFUr3J7uZbGX3J0EwtqAChzktkoZnNj0FWexUehlW1gPfA3jfDPmVBNfbtYg2HqfhqJEnFPVNc3hY9Rg6frhc2

InnerMessage:There was an error processing the credentials. Contact your system administrator.

InnerStackTrace:
   at DotNetNuke.Authentication.Azure.Components.AzureClient.GetToken(String responseText) in c:\hosting\dnn742\DesktopModules\AuthenticationServices\Azure\Components\AzureClient.cs:line 78
   at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.ExchangeCodeForToken() in c:\hosting\dnn742\DesktopModules\Library\Services\Authentication\OAuth\OAuthClientBase.cs:line 278
   at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.AuthorizeV2() in c:\hosting\dnn742\DesktopModules\Library\Services\Authentication\OAuth\OAuthClientBase.cs:line 237
   at DotNetNuke.Services.Authentication.OAuth.OAuthLoginBase.OnLoad(EventArgs e) in c:\hosting\dnn742\DesktopModules\Library\Services\Authentication\OAuth\OAuthLoginBase.cs:line 73
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

So, at this stage I am a bit lost. Is there a sure way to test/know if I am getting the correct token?

The RawURL property from events log has a long code string of something. Is this what I am expecting from Azure AD?

Any pointers or help is much appreciated.

As per Microsoft recommendation, instead of using client secrets for the service principals, the provider should allow to authenticate the clients by using certificates.

Hi :)

Is there a way to destroy AzureUserToken at browser/tab close?

I try to add more info and describe my problem:

1. User go to my site and show login page
2. Click to "Login with AzureAD" button and do a succesfull login
3. Return to my site, navigate some page and close the tab/browser without logout
4. Reopen the browser, go to my site and directly go to login.microsoftonline.com without pass throught my login page

I try to put som JS code on DOM ready on login skin but, with the help of network inspect, I saw automatic redirect without stop in my login page

We're running into some limitations in our implementation which has to support B2B (Azure Guest) users and internal users.

I'm considering changing things around a bit to use the id_token rather than the access_token for incoming claims, since we have a bit more flexibility with configuring the claims present there.

What do you think about the idea?

When configuring settings in DNN 9.01+, the settings will not save. Manually creating them in the Database works though.

Status Code: 404
URL: /API/personaBar/AzureAD/UpdateSettings

Please, can I know if it is possible to pass DNN user profile data to another Web API through this module? It may be query string or though tokens or any other possible way to pass the data to a third-party external app?

I appreciate your support.

Hi @davidjrh , I've got this problem: can you help me to find a way to solve it?
In my site, with private registration, I've two kind of login: one with your module, one with SPID (Public Digital Identity System (SPID) is the simple, fast and secure access key to digital services of local and central administrations)

The login phase goes when

1. User login with SPID: it doesn't exist and it's created on portal DB
2. Same user login with AAD: it doesn't exist, the process goes in error. From Admin Log, I've got this error The logged in user azure-MYEMAIL does not belong to PortalId 0

This is the inner stack trace

at DotNetNuke.Authentication.Azure.Components.AzureClient.AuthenticateUser(UserData user, PortalSettings settings, String IPAddress, Action`1 addCustomProperties, Action`1 onAuthenticated)
   at DotNetNuke.Services.Authentication.OAuth.OAuthLoginBase.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Control.<LoadRecursiveAsync>d__246.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Util.WithinCancellableCallbackTaskAwaitable.WithinCancellableCallbackTaskAwaiter.GetResult()
   at System.Web.UI.Page.<ProcessRequestMainAsync>d__523.MoveNext()

I think this error is caused by DisplayName field: SPID and AAD user have the same value

Thanks for the help

Environment

• DNN 9.9.0
• DNN Azure AD Provider 4.3.0
• Windows Server 2012 R2

Problems
I set private registration (how described in DNN registration type): I think a not registered AD users need to be authorized by Site Admin but this does't happen.
I'm going to explain my problem

1. A not registered AD user try to "Sign in with Azure":
   1. a new user will be created
   2. not registered user receive, on the screen, the message

   An e-mail with your details has been sent to the Site Administrator for verification. You will be notified by email when your registration has been approved.

2. Site Administrator doesn't receive mail
3. Not registered AD user (now it's registered) try again to "Sign in with Azure" and can access to the site

Why does it happen?
Thanks for the support

I came across an article today Microsoft Graph or Azure AD Graph.

The gist is that Microsoft is pushing developers to use their new Microsoft Graph API (graph.microsoft.com) as opposed to Azure AD Graph (graph.windows.net). Now in saying that Microsoft is still committed to supporting Azure AD 99.99% of the way.

Now in saying that there is no immediate concern but the article is soon to be year old. I guess the question is when should we be concerned about switching over to the new Graph API?

As it currently stands, the settings can only be used on a portal-by-portal basis. The extension must be configured for each portal.

How Can I apply these settings globally?

Change all the Azure AD Graph API calls for Microsoft Graph API calls (Azure AD Graph deprecated).

I am using a free Azure version, So I can use only the default Azure AD roles. I created a new role on DNN and mapped on the "ROLE MAPPINGS". But I can not see the DNN user has updated with the role.

Please, can you advise me on how to work with this?

Thank you!

Just tried to activate the provider on a DNN 9.6.0 installation and it said:

Could not load type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' from assembly 'System.IdentityModel.Tokens.Jwt, Version=4.0.20622.1351, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

It seems like the nuget feed used for restoring some of the project packages doesn't exist, visiting the URL (https://www.myget.org/F/dnn-software-public/npm/) in a browser also returns "Feed does not exist."

Has this feed moved?

I'm trying to configure v1 on a DNN 7.4.1 and the settings contain a few extra options not mentioned here.
So far I see:

• TokenEndPointId
• AuthorizationEndPoint
• GraphEndPoint
• AppIdUri
• APIKey
• APISecret

I have the following params for my account: Directory ID, AppID and key.
I guess tha Key referst to APISecret but don't know how to configure everything else.

Anyone?

To help mapping claims to user properties or user profile properties, adding a dropdown with the list of supported claims for the current application would help.

The list of supported claims for an application can be obtained from:

• v1.0 tokens: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid={client-id}
• v2.0 tokens: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid={client-id}

Plus the "core claim set" present in every token regardless of the policy. These claims are also considered restricted, and can't be modified. More info at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

Azure AD Provider has worked well for us for over a year now. We have stumbled lately when trying to enforce conditional access off network using MFA and/or device registration.

In DNN we receive the generic “A critical error has occurred.” on client side, and event log we see a Page Load Exception with the following details:
InnerMessage:
There was an error processing the credentials. Contact your system administrator.
InnerStackTrace:
at DotNetNuke.Authentication.Azure.Components.AzureClient.GetToken(String responseText)
at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.ExchangeCodeForToken()
at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.AuthorizeV2()
at DotNetNuke.Services.Authentication.OAuth.OAuthClientBase.Authorize()
at DotNetNuke.Authentication.Azure.Login.OnInit(EventArgs e)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.AddedControl(Control control, Int32 index)
at System.Web.UI.ControlCollection.Add(Control child)
at DotNetNuke.Modules.Admin.Authentication.Login.BindOAuthControls()
at DotNetNuke.Modules.Admin.Authentication.Login.BindLogin()
at DotNetNuke.Modules.Admin.Authentication.Login.ShowPanel()
at DotNetNuke.Modules.Admin.Authentication.Login.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

These are the versions we are currently running:

1. Evoq Content 8.5
2. DNN Azure Active Directory Authorization Provider Version 01.00.05

Is this something that we could add to be a module setting? I would be willing to work on this myself.

In the previously installed version, the provider seemed to work, however, it redirected me back to the login page, and the login page redirected me back to Azure, so I ended up in an endless loop. So I decided to install the new version, since this has the Redirect URI field, which should redirect me to another page instead of the login page.

I just entered "/" into the Redirect URI, so my expectation was that it would redirect to the homepage.
The result was that the login page gave me an error and I basically could not login anymore.
So please add some validation and some help text that you should enter the full url...

Scenario

As a host user I have logged in and opened the Persona Bar Module to configure Azure AD. My session expires and I attempt a save and no error appears.

Reproduction Steps

1. Install Module into new instance of DNN
2. Configure Azure AD correctly per the documentation
3. open a new tab
4. log out and verify that you are logged out in new tab
5. in the original tab update the Azure AD secrets/appid or directory id

Expected Behavior

• A warning message or something should notify the user they are not actually logged in

Actual Behavior

• The UI appears to process without issue
• The backend does not save the new credentials

Notes/Comments

It appears this works as designed, but the front-end of the Persona Bar module doesn't get a good communication with the backend, which makes sense you are no longer logged in and the session has expired.

It would be a nice polish to add an error message on the Persona Bar module if the front-end code can't communicate with the API

Versions

DNN: 9.4.1
Module: 3.1.0

Other

This module is really great! I built custom Azure AD Providers for customers before and I was very impressed this just worked out of the box. I am really glad I found this and you guys did a great job from the UI/UX. Any Admin that is familiar with the Azure AD side shouldn't have a problem configuring this.

Great Job!

Hi, I followed the instructions and have even recreated the DNN instance. Once I sucessfully authenticate with Azure, I get this error which I can access from the admin logs. Any ideas?

Default.aspx
DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNuke
ExceptionGUID:
AssemblyVersion:9.1.0
PortalId:0
UserId:-1
TabId:41
RawUrl:/myfcac/Login?code=AQinserthugecode
Referrer:http://my.xxx.xxx/xxx/Login?returnurl=%2fxxx%2f
UserAgent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
ExceptionHash:2EkBxCkXPumUyBpTHS6NoTboxPU=
Message:Object reference not set to an instance of an object.
StackTrace:
InnerMessage:Object reference not set to an instance of an object.
InnerStackTrace:
at DotNetNuke.Authentication.Azure.Components.AzureClient.GetCurrentUserTUserData at DotNetNuke.Authentication.Azure.Login.GetCurrentUser() at DotNetNuke.Services.Authentication.OAuth.OAuthLoginBase.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The below issue from the previous version has returned with the latest version:

Fixed double exchange code for token calls, causing a login issue introduced on Azure AD after October 10th, 2018

I verified this by getting the error caused by the issue using the latest version. I then installed the previous version, and the issue was gone.

I have an ideal for enhancing the way the system works with multiple portals. I think the easiest way to explain what I am trying to accomplish is with an example. Let's assume you have a company with multiple portals like company.com, accounting.company.com, hr.company.com, portal.company.com (intranet for all employees) etc. If all the portals use the same Azure AD (Use Global Settings = true) then you could surface two other settings both portal specific:

1. Automatically add authenticated user to this portal portal.
2. Required AAD group to automatically add user to this portal.

This way, if the first setting was true and the second was blank, when you authenticated through Azure AD you would automatically be added to the portal, even if you were already a user on another portal. So for example, I am a user on company.com and I login using AAD to portal.company.com the AzureClient adds me to the userportals table for that portal and adds appropriate roles.

If the first setting is true and the second is non-blank, when you authenticate through Azure AD it would verify you have the AAD group associated with the second setting before either adding you to portal or authorizing you.

So in the example:
company.com: 1 = true, 2 = null
accounting.company.com: 1 = true, 2 = "accounting staff"
hr.company.com: 1 = true, 2 = "hr staff"
portal.company.com: 1 = true, 2 = null.

So user 1 with "accounting staff" AAD group can login to company.com, accounting.company.com, portal.company.com but not hr.company.com.

Hopefully, this makes sense. I have modified the code in AzureClient.cs and have it working correctly, but have not tried to add these settings to the UI they are just hard coded into AzureClient.cs at the moment. I have never really worked with open source before and have not worked with the persona bar/ react components. I would be willing to learn and finish this option out if it is something you are interested in, but didn't want to proceed too far if it does not fit with your plans.

To avoid the use from the legacy login page for general public, include an option to don't allow to use the legacy login form, unless it is from whitelisted IP addresses.

Currently there is no way to give user specific permissions to Azure AD users until they login at least for the first time. While there is a scheduled role sync implemented, there is no scheduled user sync so users automatically populates on DNN.

Would be nice to have a scheduled task that synchronizes Azure AD users in background every X hours by using the MS Graph API with filter support to avoid fully synchronizing huge Azure AD tenants.

Hello,
I was looking for a way to authenticate users in DNN 9.1.1 using Azure AD and found your project.
I have a multi-portal installation using DNN 9.1.1 and I have already created about 80 users. After installing azureadprovider version 3.00.00 and configuring everything I got this error:

A user is already using this email address. Please register under a different email address or obtain a password reminder using your existing email address.

How can I update all users so that next time they authenticate they can use Login with AD and not username and password?

Thank you

Environment

• DNN 9.9.0
• DNN Azure AD Provider 4.0.4
• Windows Server 2012 R2

Problem
I've update Azure Active Directory AAD password few days ago; after this change, I try to login my site and I've got the attached error

If I discard the save user/pw and try new value (same email but different PW), I can login

1. Is it normally?
2. Is it depend on AAD config?
3. How to avoid it?

Thanks for the support, best regards

It appears that the app is using the v1.0 endpoint for the implicit grant:

When building the query params, scope is defined:

However, according to the microsoft docs for the v1 endpoint, scope is ignored, and you should instead use resource. Without the resource on the v1 endpoint, you are going to get the default graph JWT tokens, not the ones defined in the app manifest.