Description
Using ASP.NET 6 Web API, we're not able to authenticate using ServiceClient (v0.5.17) to an on-premise instance (v8.2) configured with IFD using ADFS 2016. The SDK is unsuccessful in retrieving the authority in a bearer challenge. It is sending a request to the organization's discovery endpoint /XRMServices/2011/Discovery.svc, which is resulting in a 200 instead of a 401, therefore does not include a WWW-Authenticate header. It would appear the discovery endpoint is anonymously accessible, which I believe is set by default in a standard on-premise installation? Below is the error we're seeing when instantiating the ServiceClient:
ERROR REQUESTING Token FROM THE Authentication context\r\nERROR REQUESTING Token FROM THE Authentication contextNeed a non-empty authority (Parameter 'Authority')Unable to login to Dataverse, Error was : Need a non-empty authority (Parameter 'Authority')\r\nUnable to Login to Dataverse\r\nUnable to Login to DataverseOrganizationWebProxyClientAsync is null\r\nOrganizationWebProxyClientAsync is nullOrganizationWebProxyClientAsync is null\r\nOrganizationWebProxyClientAsync is null
Using Fiddler, we can send an unauthenticated request to /api/data/v8.2/WhoAmI and successfully get back the Bearer challenge header with the correct resource and authorization urls as shown below.
WWW-Authenticate: Bearer authorization_uri=https://{adfs2016Url}/adfs/oauth2/authorize, resource_id=https://{orgIFDurl}/ WWW-Authenticate: NTLM WWW-Authenticate: Negotiate
We are then able to retrieve an access token and successfully make an authorized WhoAmI request to get data back, which indicates CRM and ADFS are configured correctly for OAuth2.
We've also tried on ASP.NET Core 3.1 with the same result. We first tried using the ServiceClient v0.5.10 with no success then tried v0.5.17 when it was published, but again same result.