Blazor unable to reach login.microsoftonline.com due to network setup

Question

I have a Blazor .NET 8 server-side app working correctly on an unsecured machine, and am trying to move it to a machine that has no direct outbound internet access; only via web proxy. The app uses OpenIdConnect and users should log in using Microsoft Entra ID.

When a user tries to log in, the server console logs the following errors (I have obscured my Tenant ID from the URL):

• Message: IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxx/v2.0/.well-known/openid-configuration'. Will retry at '21/03/2024 3:22:28 am +00:00'. Exception: 'System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
• ---> System.Net.Http.HttpRequestException: No such host is known. (login.microsoftonline.com:443)
• ---> System.Net.Sockets.SocketException (11001): No such host is known.

However, if I paste the exact same URL into MS Edge running on the same machine as is hosting the Blazor app, it retrieves the document successfully. The browser uses the proxy configuration from System > Proxy Settings, but Kestrel doesn't seem to use this.

The relevant code from Program.cs is:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddControllersWithViews()
    .AddMicrosoftIdentityUI();

and in appsettings.json under "AzureAD", it has "Instance": "https://login.microsoftonline.com/", and then the other AzureAD parameters.

Is it possible to either:

• Tell Kestrel to use the system proxy settings to retrieve this configuration document, or
• Make some change to the app source so that it does not need to do this step at all? (E.g. can I save the document locally and read it)

Answer 1

I think you could do something like this to use the proxy :

// Step 1: Create a custom HttpClient factory
public class ProxyHttpClientFactory : IMsalHttpClientFactory
{
    private static readonly HttpClient s_httpClient;

    static ProxyHttpClientFactory()
    {
        var webProxy = new WebProxy(
            new Uri("http://my.proxy"),
            BypassOnLocal: false);

        webProxy.Credentials = new NetworkCredential("user", "pass");

        var proxyHttpClientHandler = new HttpClientHandler
        {
            Proxy = webProxy,
            UseProxy = true,
        };

        s_httpClient = new HttpClient(proxyHttpClientHandler);
    }

    public HttpClient GetHttpClient()
    {
        return s_httpClient;
    }
}

// Step 2: Register the custom HttpClient factory in Program.cs
var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));

// Register the custom HttpClient factory
builder.Services.AddSingleton<IMsalHttpClientFactory, ProxyHttpClientFactory>();

// Other configurations...

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();
app.MapBlazorHub();
app.MapFallbackToPage("/_Host");

app.Run();

This site might also have more useful information.

I hope this helps !