Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] Unable to authenticate using Azure front door and AAD
See original GitHub issueWhich version of Microsoft Identity Web are you using? Microsoft.Identity.Web 1.8.1
Where is the issue?
- Web app
- [x ] Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
- Other (please describe)
Is this a new or an existing app? This is a new app that requires authentication + azure front door.
Repro I’m trying to simply place my authenticated web app behind Azure Front door.
I have an Azure front door with a single front end host. This maps to a single web app on the back end right now. The back end is configured as follows:
The rules are configured as follows:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "<removed>",
"ClientId": "<removed>",
"TenantId": "organizations",
"CallbackPath": "/signin-oidc",
},
Expected behavior When the user hits the frontdoor endpoint their request is forwarded to origin to login. The logged in user is never redirected away from the front door end point and only ever sees the front door endpoint.
Actual behavior When the user hits the frontdoor endpoint they’re redirected to the login page. Once logged in via the login ui, they are redirected back to the app service endpoint and not the front door endpoint.
Possible solution
I did find a similar bug (https://github.com/AzureAD/microsoft-identity-web/issues/115), and conceptually I think a similar issue is happening but did not have success with implementing this. Futhermore looking for guidance in general. Essentially, I think the cdn makes a request to origin and origin only knows to reply with it’s own hostname so when we hit the login page, origin has already said ‘redirect to origin’. How can I reliably make this redirect back to the front door?.
Additional context / logs / screenshots Add any other context about the problem here, such as logs and screenshots.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Ahh, that was it. I did have x-forwarded-for headers as well. Opting for just XForwardedHost + XForwardedProto did the trick without requiring me to override anything. Thanks!
Do your requests have x-forwarded-for headers? A lot of the processing is tied to those. You can try disabling that with: options.ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;