[Bug] Redirect URI is set to http instead of https when deploying to Azure App Service for Docker container (Linux)
See original GitHub issueWhich Version of Microsoft Identity Web are you using ? Microsoft Identity Web 1.0.0-preview
Where is the issue?
- Web App
- [ x ] Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (Validating tokens)
- Protected web APIs (Validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In Memory caches
- Session caches
- Distributed caches
Other? - please describe; Probably valid for most cases.
Is this a new or existing app?
This is an experiment to test an app with Microsoft.Identity.Web deployed to Azure App Service for Docker Containers.
Repro
- Open example 1-2-AnyOrg
- Add Docker support in Visual Studio (create standard Dockerfile)
- Build image
- Publish to container registry
- Create a new App Service using the container image
- Add configuration
- Browse new web app, and you will be redirected to login.microsoftonline.com as expected, but with
redirect_uri=http%3A%2F%2F<your app service name>.azurewebsites.net%2Fsignin-oidc
instead ofredirect_uri=https%3A%2F%2F<your app service name>.azurewebsites.net%2Fsignin-oidc
. - Manually changing the redirect URI to HTTPS will enable authentication and the app will work as expected.
Expected behavior Expected to be redirected to the HTTPS-page.
Actual behavior Error AADSTS50011 is shown in the browser, as there is a mismatch between registered redirect-URIs.
Possible Solution Maybe there is a way to configure the App Service to avoid this issue? Or is there a way to configure Microsoft.Identity.Web to use HTTPS in the redirect URI?
Additional context/ Logs / Screenshots
The application log shows the following:
Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]: Failed to determine the https port for redirect.
There is a hint here that SSL should not be enabled in the web app, but how is it possible to not have SSL enabled in the web app, but still have HTTPS in the redirect URI?
Issue Analytics
- State:
- Created 3 years ago
- Comments:58 (1 by maintainers)
Top GitHub Comments
Spec
(updated on 07/05/2020)
Why?
In order to avoid customers to have to update the redirect URI in the code when they deploy their Web apps, the redirect URI is computed automatically by ASP.NET Core (part of the auth code flow), and also by Microsoft.Identity.Web (in
TokenAcquisition.BuildConfidentialClientApplicationAsync
).Note that this does not prevent developers to add redirect URI in the app registration portal, but this allow them to have the same code for debugging locally and for deployed applications if they wish to.
The MSAL.NET part is here:
https://github.com/AzureAD/microsoft-identity-web/blob/c2f81fd6b7be240046350124311835885051972f/src/Microsoft.Identity.Web/TokenAcquisition.cs#L334-L338
Although this solves many cases, there are cases (like working in containers, or with reverse proxys), where this is not flexible enough
The openIDConnect redirect URI is computed by ASP.NET Core, but can be overriden by subscribing to the OpenIdConnect
OnRedirectToIdentityProvider
event and by setting thecontext.ProtocolMessage.RedirectUri
property to the desired redirect URI.Same problem for the post logout redirect URI used in global sign-out. It needs to be overridable, and that can be done but subscribing to the
OnRedirectToIdentityProviderForSignOut
openIdConnect event and setting thecontext.ProtocolMessage.PostLogoutRedirectUri
property.What?
Given the following config
The proposal is to add new properties in
MicrosoftIdentityOptions
to override the redirect URI and the post logout redirect URI:RedirectUri
inMicrosoftIdentityOptions
PostLogoutRedirectUri
inMicrosoftIdentityOptions
Given the following config
https://github.com/AzureAD/microsoft-identity-web/blob/27391236c35d037ebcd2e48f5c9a909b6c0e1bbc/src/Microsoft.Identity.Web/WebAppAuthenticationBuilderExtensions.cs#L62-L68
In the
builder.AddOpenIdConnect(openIdConnectScheme, options => {
bloc:__ @jennyf19 @pmaytak @bgavrilMS @henrik-me : what do you think?
Thanks for the suggestion! I tested it and found that I needed to add the post logout URI to the
OnRedirectToIdentityProviderForSignOut
event. This solution works as expected with an addedWebAppURI
parameter in the configuration, but an integrated solution using absolute or relativeCallbackPath
/SignedOutCallbackPath
would of course be preferable.https://demoopenid.azurewebsites.net/ has been updated with the code below.