Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Redirect URI is set to http instead of https when deploying to Azure App Service for Docker container (Linux)

See original GitHub issue

Which Version of Microsoft Identity Web are you using ? Microsoft Identity Web 1.0.0-preview

Where is the issue?

Web App
- [ x ] Sign-in users
- Sign-in users and call web APIs
Web API
- Protected web APIs (Validating tokens)
- Protected web APIs (Validating scopes)
- Protected web APIs call downstream web APIs
Token cache serialization
- In Memory caches
- Session caches
- Distributed caches

Other? - please describe; Probably valid for most cases.

Is this a new or existing app?

This is an experiment to test an app with Microsoft.Identity.Web deployed to Azure App Service for Docker Containers.

Repro

Open example 1-2-AnyOrg
Add Docker support in Visual Studio (create standard Dockerfile)
Build image
Publish to container registry
Create a new App Service using the container image
Add configuration
Browse new web app, and you will be redirected to login.microsoftonline.com as expected, but with redirect_uri=http%3A%2F%2F<your app service name>.azurewebsites.net%2Fsignin-oidc instead of redirect_uri=https%3A%2F%2F<your app service name>.azurewebsites.net%2Fsignin-oidc .
Manually changing the redirect URI to HTTPS will enable authentication and the app will work as expected.

Expected behavior Expected to be redirected to the HTTPS-page.

Actual behavior Error AADSTS50011 is shown in the browser, as there is a mismatch between registered redirect-URIs.

Possible Solution Maybe there is a way to configure the App Service to avoid this issue? Or is there a way to configure Microsoft.Identity.Web to use HTTPS in the redirect URI?

Additional context/ Logs / Screenshots The application log shows the following: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]: Failed to determine the https port for redirect.

There is a hint here that SSL should not be enabled in the web app, but how is it possible to not have SSL enabled in the web app, but still have HTTPS in the redirect URI?

Issue Analytics

State:
Created 3 years ago
Comments:58 (1 by maintainers)

Top GitHub Comments

9reactions

jmprieurcommented, May 7, 2020

Spec

(updated on 07/05/2020)

Why?

In order to avoid customers to have to update the redirect URI in the code when they deploy their Web apps, the redirect URI is computed automatically by ASP.NET Core (part of the auth code flow), and also by Microsoft.Identity.Web (in TokenAcquisition.BuildConfidentialClientApplicationAsync).

Note that this does not prevent developers to add redirect URI in the app registration portal, but this allow them to have the same code for debugging locally and for deployed applications if they wish to.

The MSAL.NET part is here:

https://github.com/AzureAD/microsoft-identity-web/blob/c2f81fd6b7be240046350124311835885051972f/src/Microsoft.Identity.Web/TokenAcquisition.cs#L334-L338

Although this solves many cases, there are cases (like working in containers, or with reverse proxys), where this is not flexible enough

The openIDConnect redirect URI is computed by ASP.NET Core, but can be overriden by subscribing to the OpenIdConnect OnRedirectToIdentityProvider event and by setting the context.ProtocolMessage.RedirectUri property to the desired redirect URI.

Same problem for the post logout redirect URI used in global sign-out. It needs to be overridable, and that can be done but subscribing to the OnRedirectToIdentityProviderForSignOut openIdConnect event and setting the context.ProtocolMessage.PostLogoutRedirectUri property.

What?

Given the following config

  "CallbackPath": "/signin-oidc",
   "SignedOutCallbackPath ": "/signout-callback-oidc",

The proposal is to add new properties in MicrosoftIdentityOptions to override the redirect URI and the post logout redirect URI:

Add RedirectUri in MicrosoftIdentityOptions
Add PostLogoutRedirectUri in MicrosoftIdentityOptions

Given the following config

//  "CallbackPath": "/signin-oidc",
//   "SignedOutCallbackPath ": "/signout-callback-oidc",
  "RedirectUri ": "http://mywebapp.mycompany.com/signin-oidc",
   "PostLogoutRedirectUri": "http://mywebapp.mycompany.com/signout-callback-oidc",

Use these properties in the AddSignIn method:

https://github.com/AzureAD/microsoft-identity-web/blob/27391236c35d037ebcd2e48f5c9a909b6c0e1bbc/src/Microsoft.Identity.Web/WebAppAuthenticationBuilderExtensions.cs#L62-L68

In the builder.AddOpenIdConnect(openIdConnectScheme, options => { bloc:

            var redirectToIdpHandler = options.Events.OnRedirectToIdentityProvider;
            options.Events.OnRedirectToIdentityProvider = async context =>
            {
                // Call what Microsoft.Identity.Web is doing
                await redirectToIdpHandler(context);
                // Override the redirect URI to be what you want
                if(microsoftIdentityOptions.RedirectUri != null)
                {
                    context.ProtocolMessage.RedirectUri = (microsoftIdentityOptions.RedirectUri;
                }
            };
            var redirectToIdpForSignOutHandler = options.Events.OnRedirectToIdentityProviderForSignOut;
            options.Events.OnRedirectToIdentityProviderForSignOut = async context =>
            {
                // Call what Microsoft.Identity.Web is doing
                await redirectToIdpForSignOutHandler(context);
                // Override the redirect URI to be what you want
                if (microsoftIdentityOptions.PostLogoutRedirectUri )
                {
                    context.ProtocolMessage.PostLogoutRedirectUri = microsoftIdentityOptions.PostLogoutRedirectUri;
                }
            };
        });

__ @jennyf19 @pmaytak @bgavrilMS @henrik-me : what do you think?

4reactions

mochrcommented, Apr 28, 2020

Thanks for the suggestion! I tested it and found that I needed to add the post logout URI to the OnRedirectToIdentityProviderForSignOut event. This solution works as expected with an added WebAppURI parameter in the configuration, but an integrated solution using absolute or relative CallbackPath/SignedOutCallbackPath would of course be preferable.

https://demoopenid.azurewebsites.net/ has been updated with the code below.

public void ConfigureServices(IServiceCollection services)
{
    services.AddSignIn(Configuration);
    services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme,
        options => {
            var redirectToIdpHandler = options.Events.OnRedirectToIdentityProvider;
            options.Events.OnRedirectToIdentityProvider = async context =>
            {
                // Call what Microsoft.Identity.Web is doing
                await redirectToIdpHandler(context);

                // Override the redirect URI to be what you want
                if(Configuration["AzureAd:WebAppURI"] != null)
                {
                    context.ProtocolMessage.RedirectUri = Configuration["AzureAd:WebAppURI"] + Configuration["AzureAd:CallbackPath"];
                }
            };

            var redirectToIdpForSignOutHandler = options.Events.OnRedirectToIdentityProviderForSignOut;
            options.Events.OnRedirectToIdentityProviderForSignOut = async context =>
            {
                // Call what Microsoft.Identity.Web is doing
                await redirectToIdpForSignOutHandler(context);

                // Override the redirect URI to be what you want
                if (Configuration["AzureAd:WebAppURI"] != null)
                {
                    context.ProtocolMessage.PostLogoutRedirectUri = Configuration["AzureAd:WebAppURI"] + Configuration["AzureAd:SignedOutCallbackPath"];
                }
            };
        });

    // More code here ...
}