OIDC redirect loop

Product: PowerShell Universal
Version: 3.4.0

I’m attempting to setup OIDC authentication on a free trial license, hosted within IIS, and entering a redirect loop on login. The first connection to the site after it’s launched prompts for windows credentials and then sends me into a redirect loop. I was able to catch some errors in the web console, but I’m unsure how to resolve these.

Access to fetch at 'https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&redirect_uri=https%3A%2F%2F{psu_host}%2Fauth%2Fsignin-oidc&response_type=code&scope=openid%20profile%20groups&code_challenge={challenge_id}&code_challenge_method=S256&response_mode=form_post&nonce={nonce}&state={state}&x-client-SKU=ID_NET6_0&x-client-ver=6.21.0.0' (redirected from 'https://{psu_host}/api/v1/accessControl/adminConsole') from origin 'https://{psu_host}' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Here is my appsettings.json & web.config

{
  "Kestrel": {
    "Endpoints": {
      "HTTP": {
        "Url": "https://*:443"
      }
    },
	"Limits": {
      "MaxRequestHeadersTotalSize": 13276800
    },
    "RedirectToHttps": "false",
    "UseHttpSys": "false",
    "BasePath": ""
  },
  "ApplicationInsights": {
    "InstrumentationKey": ""
  },
  "Logging": {
    "Path": "%PROGRAMDATA%/PowerShellUniversal/log.txt",
    "RetainedFileCountLimit": 31,
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information",
      "Grpc": "Information"
    }
  },
  "AllowedHosts": "*",
  "CorsHosts": "https://login.microsoftonline.com;https://{psu_host}",
  "Plugins": [
    "UniversalAutomation.LiteDBv5"
  ],
  "Data": {
    "RepositoryPath": "%ProgramData%\\UniversalAutomation\\Repository",
    "ConnectionString": "filename=%ProgramData%\\UniversalAutomation\\database.db;upgrade=true",
    "GitRemote": "",
    "GitUserName": "",
    "GitPassword": "",
    "GitBranch": "",
    "GitSyncBehavior": "TwoWay",
    "GitInitializeBehavior": "",
    "GitSyncInterval": "1",
    "ConfigurationScript": ""
  },
  "Api": {
    "Url": "https://{psu_host}",
    "GrpcPort": 0
  },
  "Authentication": {
    "Windows": {
      "Enabled": "false"	
    },
    "WSFed": {
      "Enabled": "false",
      "MetadataAddress": "",
      "Wtrealm": "",
      "CallbackPath": "/auth/signin-wsfed",
      "Wreply": "",
      "UseTokenLifetime": true,
      "CorrelationCookieSameSite": ""
    },
    "OIDC": {
      "Enabled": "true",
      "CallbackPath": "/auth/signin-oidc",
      "ClientID": "{client_id}",
      "ClientSecret": "{client_secret}",
      "Resource": "",
      "Authority": "https://login.microsoftonline.com/{tenant_id}",
      "ResponseType": "code",
      "SaveTokens": "false",
      "CorrelationCookieSameSite": "",
      "UseTokenLifetime": true,
      "Scope": "openid profile groups",
      "GetUserInfo": "false"
    },
    "ClientCertificate": {
      "Enabled": "false"
    },
    "SessionTimeout": "25"
  },
  "Jwt": {
    "SigningKey": "PleaseUseYourOwnSigningKeyHere",
    "Issuer": "IronmanSoftware",
    "Audience": "PowerShellUniversal"
  },
  "UniversalAutomation": {
    "JobHandshakeTimeout": 5,
    "JobDebugging": false,
    "ContinueJobOnServerStop": false
  },
  "UniversalDashboard": {
    "AssetsFolder": "%ProgramData%\\PowerShellUniversal\\Dashboard",
    "DashboardStartupTimeout": 10
  },
  "Secrets": {
    "SecretStore": {
      "Password": "PSUSecretStore"
    }
  },
  "ShowDevTools": false,
  "HideAdminConsole": false,
  "Profiling": false
}

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="C:\inetpub\wwwroot\PowerShellUniversal\Universal.Server.exe" arguments="" forwardWindowsAuthToken="true" stdoutLogEnabled="true" stdoutLogFile="C:\ProgramData\PowerShellUniversal\logs\log" hostingModel="InProcess" />
  </system.webServer>
</configuration>

I’ve also tried to set the authentication up with the authentication.ps1 file and this command:

Set-PSUAuthenticationMethod -Type "OpenIDConnect" -CallbackPath "/auth/signin-oidc" -ClientId "{client_id}" -ClientSecret "{client_id}" -Authority "https://login.microsoftonline.com/{tenant_id}" -ResponseType "code" -Scopes "openid profile groups"

Am I missing some step of configuration when following the documentation on authenticating with azure active directory? Or have I misconfigured something along the way?

I think more of your IIS configuration is needed to diagnose…

I’ll also say this; my time with PSU in IIS wasn’t great. If you can, I recommend having it run from it’s own service.

Not sure if there are specific IIS configuration options needed to see, but here are all the ones that I have changed from default values:

AppPool:

Site Settings:

Site Authentication:

Other than these settings, everything else within IIS (Version 10) is default.

I’ll explore running it as a service and see if I have better luck

Something is incorrect with the listed IIS setup for it as I switched to running as a service with the exact same repository of setting and OIDC worked on first connection. I’m going to proceed with the service route for the future. Thanks for the help