microsoft-identity-web: [Bug]Azure AD Application Gateway redirect to /signin-oidc which return 404

Which version of Microsoft Identity Web are you using? Microsoft Identity Web 1.10.0

Where is the issue?

  • Web app

Is this a new or an existing app?

c. This is a new app or an experiment.

behavior I am working on a ASP.net core 3.1 application which works fine on localhost and on our private network. But we want to make it available to some people outside our network, so we are using Azure application gateway for that.

We registered the app on the Application Gateway, but when the link it tried it gets redirect to the [private-network-url]/signin-oidc , which returns a 404.

I expect that when we launch the Application Gateway address, it calls the correct appservice and which will do the authentication and take me to home page.

Possible solution I read about a possible solution in StackOverflow. https://stackoverflow.com/questions/48399699/azure-ad-redirect-url-using-application-gateway

I tried it,

            var initialScopes = configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).
                AddOpenIdConnect(options =>
                {
                    Task RedirectToIdentityProvider(RedirectContext ctx)
                    {
                        ctx.ProtocolMessage.RedirectUri = "https://{AzureAppGatewayUrl}/signin-oidc";
                        return Task.FromResult(0);
                    }

                    options.Events = new OpenIdConnectEvents
                    {
                        OnRedirectToIdentityProvider = RedirectToIdentityProvider
                    };
                
                })
                .AddMicrosoftIdentityWebApp(configuration.GetSection("AzureAd"))
                .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                .AddDownstreamWebApi("DownstreamApi", configuration.GetSection("DownstreamApi"))
                .AddInMemoryTokenCaches();

But getting the error below, image

Not sure how I would do it with the Microsoft.Identity.Web library?

Is getting 404 an expected behaviour?

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 34

Most upvoted comments

For those like me out there following this great thread that provides a lot of insights, I’d like to add something on top of it while working with App Gw WAF_v2 + Identity + App Services.

I initially followed the idea provided from the docs which consist of re-rewriting the Location response header, and then I found here a simpler solution from the rewrite rules perspective by using the X-Forwarded-Host request header. But no matter what is the approach of your preference, in both cases, if you’re using WAF_v2 particularity with the rule-set OWASP, please be aware that you will be still facing Forbidden 403 responses since the firewall is detecting a SQL injection malicious attack apparently from your Identity headers REQUEST_COOKIES:.AspNetCore.Cookies.

Therefore, to get it fully working, it is still required to disable the 942440 rule based on what I am experiencing. This rule is part of OWASP 3.2 and lower versions as well if I am not wrong:

fornost Web application firewall

cc/ @Tratcher

+4
ferantivero on Jul 27, 2021

Note CookiePolicyOptions is ineffective without the matching UseCookiePolicy middleware.

OpenIdConnectHandler stores temp state in cookies during the login and persists it’s results in cookies after so the user remains logged in for future requests.

What’s written to the logs by this?

	logger.LogInformation("Request Method: {Method}", context.Request.Method);
	logger.LogInformation("Request Scheme: {Scheme}", context.Request.Scheme);
	logger.LogInformation("Request Path: {Path}", context.Request.Path);

	foreach (var header in context.Request.Headers)
	{
		logger.LogInformation("Header: {Key}: {Value}", header.Key, header.Value);
	}
+1
Tratcher on Jun 17, 2021

@jmprieur @Tratcher Thank you for your help Application is working as designed now.

+1
freemstr on Jun 7, 2021

Where is UseForwardedHeaders in your Startup.Configure method? It should be near the top.

What’s the current Host header before and after UseForwardedHeaders ?

+1
Tratcher on May 25, 2021

I seem to be encountering the same issue. Could you please suggest a way of setting redirect_uri based on XForwardedHost value?

App Gateway is listening on dev-ex.companyname.com Site is hosted on companyname.azurewebsites.net on a windows service

Rewrite rule is setting X-Forwarded-Host image

HttpContext.Request.Headers are as follows: X-AppGW-Trace-Id :24e1a4fc990a5bac6e6592676342d8f2; X-ORIGINAL-HOST :dev-ex.companyname.com; X-FORWARDED-PROTO :https; X-FORWARDED-PORT :443; X-Forwarded-For :0.0.0.0:0000; (this works) X-Original-URL :/healthcheck; X-Forwarded-Host :dev-ex.companyname.com;

B2C auth is configured for dev-ex.companyname.com/signin-oidc but redirect_uri being used is companyname.azurewebsites.net

Configuration in the Startup:

services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders = ForwardedHeaders.All;
            });

as well as app.UseForwardedHeaders();

Thank you.

+1
freemstr on May 25, 2021
Read more comments on GitHub
← microsoft-identity-web: [Bug] TokenAcquisitionalways fails with MicrosoftIdentityWebChallengeUserException when called from a DelegatingHandler, but only on an Azure Web App.
microsoft-identity-web: IDW10502: An MsalUiRequiredException →