I would like to use Dashboards with OIDC and the Microsoft Graph API. I could not find a documented way in the appsettings.json to override the default “scope=openid profile”. I would like to change the scope to “openid profile offline_access” so I can easily use the $AccessToken in Invoke-RestMethod requests. I can intercept the sign-in request and change the scope and it works exactly as I want.
Also, for anyone interested, here is an extremely minimal Invoke-RestMethod with a Dashboard page that shows the signed in user displayName to show it working. Keep in mind you have to modify the login.microsoftonline.com sign-in link to include the offline_access scope for this to work.
Funny. I just added support for scope yesterday. If you download last night’s build, you should have that property available. I needed it to support group membership for Okta.
@PorreKaj, when you get the login prompt for a new session you will see a link similar to this: Sign in to your account…&redirect_uri=http…&scope=openid%20profile&response_mode=…
Look for “scope=openid%20profile” and change it to “scope=openid%20profile%20offline_access” and continue with the sign-in.
@adam, I updated to the 9/9/21 nightly build and I see the scope change but I get a 500 error on the post back to /auth/signin-oidc. I reverted to a previous nightly and OIDC is working again.
Here is a relevant log entry:
2021-09-09T08:35:41.6007398-07:00 0HMBJKSQ9OA6E:00000005 [INF] Request starting HTTP/1.1 POST https://psu.local:5000/auth/signin-oidc application/x-www-form-urlencoded 3883 (ca22a1cb)
2021-09-09T08:35:41.7317124-07:00 0HMBJKSQ9OA6E:00000005 [ERR] Exception occurred while processing message. (d37e9c4d)
System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, ClaimsPrincipal principal, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
2021-09-09T08:35:41.7318034-07:00 0HMBJKSQ9OA6E:00000005 [INF] Error from RemoteAuthentication: "Response status code does not indicate success: 400 (Bad Request).". (37f74bc6)
2021-09-09T08:35:41.7330322-07:00 0HMBJKSQ9OA6E:00000005 [ERR] Connection id ""0HMBJKSQ9OA6E"", Request id ""0HMBJKSQ9OA6E:00000005"": An unhandled exception was thrown by the application. (560e7d32)
System.Exception: An error was encountered while handling the remote login.
---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, ClaimsPrincipal principal, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2021-09-09T08:35:41.7332250-07:00 0HMBJKSQ9OA6E:00000005 [INF] Request finished HTTP/1.1 POST https://psu.local:5000/auth/signin-oidc application/x-www-form-urlencoded 3883 - 500 0 - 132.4744ms (791a596a)
I think I need to add one more configuration option. The OIDC integration is now attempting to retrieve additional user information but it looks like that’s not possible in all environments. I had test against my Azure AD and Okta environments but maybe there are some permissions or other things preventing this from happening. I’ll add an option so you can turn that off and then it should succeed.