Azure OAuth and OpenId Auth bypass when AppSecret and AppId values are null

I just came across a bug (I think) with the OpenId and OAuth provider settings. When starting UD either with OpenId or OAuth if the Client Id and/or AppSecret are left blank any authentication attempt is bypassed and you are logged into the Dashboard. Also, AdminMode is enabled (but i have AdminModeAuthorizationPolicy set)

Using the Below to set your Authentication Method

$AuthenticationMethod = New-UDAuthenticationMethod -ClientId "" -Instance -Domain "" -TenantId ""


$AuthenticationMethod = New-UDAuthenticationMethod -ResponseType 'id_token token' -AppSecret '' -AppId "" -Authority '' -Resource '' -SaveTokens -PassThru

Then once I add back my AppId and Secret information and just reload UD I am prompted to log in as usual.

Can anyone else verify this? I am using UD 2.8.1

Whoa weird. Sounds like a bug. Probably should just be some validation in New-UDAuthenticaitonMehtod to prevent you from configuring it this way.

Agreed - I didnt even notice I did this, and was trying to figure out why I kept seeing the AdminTools as I wasn’t in my “developers” group. Then I realized that I had my Dashboard running in a new Azure Web App where all my Auth Provider information (Id, Secret, Tenant) are all stored in App Settings and referenced in UD using $env:TenantId but since it was a new Web App none of the App Settings existed.

I also noticed when I’m in the Dashboard without Authenticating none of the auth policy enforcements are in effect. I have pages that have AuthorizationPolicy set but I can still see all the pages content.

When the Auth provider is configured like that starting the dashboard does throw an error but continues to load.