microsoft-identity-web: [Bug]Azure AD Application Gateway redirect to /signin-oidc which return 404
Which version of Microsoft Identity Web are you using? Microsoft Identity Web 1.10.0
Where is the issue?
- Web app
Is this a new or an existing app?
c. This is a new app or an experiment.
behavior I am working on a ASP.net core 3.1 application which works fine on localhost and on our private network. But we want to make it available to some people outside our network, so we are using Azure application gateway for that.
We registered the app on the Application Gateway, but when the link it tried it gets redirect to the [private-network-url]/signin-oidc , which returns a 404.
I expect that when we launch the Application Gateway address, it calls the correct appservice and which will do the authentication and take me to home page.
Possible solution I read about a possible solution in StackOverflow. https://stackoverflow.com/questions/48399699/azure-ad-redirect-url-using-application-gateway
I tried it,
var initialScopes = configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).
AddOpenIdConnect(options =>
{
Task RedirectToIdentityProvider(RedirectContext ctx)
{
ctx.ProtocolMessage.RedirectUri = "https://{AzureAppGatewayUrl}/signin-oidc";
return Task.FromResult(0);
}
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = RedirectToIdentityProvider
};
})
.AddMicrosoftIdentityWebApp(configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddDownstreamWebApi("DownstreamApi", configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
But getting the error below,
Not sure how I would do it with the Microsoft.Identity.Web library?
Is getting 404 an expected behaviour?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 34
For those like me out there following this great thread that provides a lot of insights, I’d like to add something on top of it while working with
App Gw WAF_v2
+Identity
+App Services
.I initially followed the idea provided from the docs which consist of re-rewriting the
Location
response header, and then I found here a simpler solution from the rewrite rules perspective by using theX-Forwarded-Host
request header. But no matter what is the approach of your preference, in both cases, if you’re usingWAF_v2
particularity with the rule-setOWASP
, please be aware that you will be still facingForbidden 403
responses since the firewall is detecting a SQL injection malicious attack apparently from yourIdentity
headersREQUEST_COOKIES:.AspNetCore.Cookies
.Therefore, to get it fully working, it is still required to disable the
942440
rule based on what I am experiencing. This rule is part ofOWASP 3.2
and lower versions as well if I am not wrong:cc/ @Tratcher
Note CookiePolicyOptions is ineffective without the matching UseCookiePolicy middleware.
OpenIdConnectHandler stores temp state in cookies during the login and persists it’s results in cookies after so the user remains logged in for future requests.
What’s written to the logs by this?
@jmprieur @Tratcher Thank you for your help Application is working as designed now.
Where is UseForwardedHeaders in your Startup.Configure method? It should be near the top.
What’s the current
Host
header before and after UseForwardedHeaders ?I seem to be encountering the same issue. Could you please suggest a way of setting redirect_uri based on XForwardedHost value?
App Gateway is listening on dev-ex.companyname.com Site is hosted on companyname.azurewebsites.net on a windows service
Rewrite rule is setting X-Forwarded-Host
HttpContext.Request.Headers are as follows: X-AppGW-Trace-Id :24e1a4fc990a5bac6e6592676342d8f2; X-ORIGINAL-HOST :dev-ex.companyname.com; X-FORWARDED-PROTO :https; X-FORWARDED-PORT :443; X-Forwarded-For :0.0.0.0:0000; (this works) X-Original-URL :/healthcheck; X-Forwarded-Host :dev-ex.companyname.com;
B2C auth is configured for dev-ex.companyname.com/signin-oidc but redirect_uri being used is companyname.azurewebsites.net
Configuration in the Startup:
as well as
app.UseForwardedHeaders();
Thank you.