Share via

Azure AD B2C can't set cookie with cross domain.

Minh Truong 5 Reputation points
2024-08-14T14:26:42.14+00:00

I have a custom domain set and verified in the Microsoft Entra ID.

I also have Azure Front Door Classic that will route the request to my azure b2c tenant.

i.e: accounts.contoso.com/tenant.onmicrosoft.us/.../authorize -> Azure Front door Classic -> tenant.b2clogin.us/tenant.onmicrosoft.us/.../authorize --> this does succeed.

However, Azure b2c authorize endpoint tries to set cookies in the response headers but because it is not the same domain and cookies can't be set. Therefore, any subsequent requests to azure b2c endpoints (/perftrace or /selfAsserted) will fail with 400 Bad Request because no cookie.

I followed this https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-custom-policy but gets 400 error.

Is there anyway we can tell /authorize to set domain=accounts.contoso.com in the cookies instead of the b2c tenant domain?

What is the resolution for this? Will upgrade Azure front door tier to Standard help?

Thanks

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
860 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator
    2024-08-15T00:20:25.26+00:00

    @Minh Truong

    Thank you for reaching out.

    I understand you are facing issue due incorrect domain name in authorization cookies.

    The broken cookies issue due to use of Reverse proxy is documented here

    Based on your set-up here

    1. The browser sends a request for accounts.contoso.com to the reverse proxy.
    2. The reverse proxy rewrites the host name to be contoso.backend.net in the request to the back-end web application (or to a similar default domain for another service).
    3. The application generates a cookie that uses a domain based on the incoming contoso.backend.net host name. The browser stores the cookie for this specific domain rather than the accounts.contoso.com domain that the user is actually using.
    4. The browser doesn't include the cookie on any subsequent request for accounts.contoso.com because the cookie's contoso.backend.net domain doesn't match the domain of the request.

    The resolution here as correctly identified will be upgrade Classic AFD to Standard SKU. As If you use Azure Front Door Standard or Premium, you can preserve the host name by leaving the origin host header blank in the origin definition. This way the Azure Front Door will not rewrite the hostname and will send it as accounts.contoso.com to the backend.

    Hope this helps! Please let me know if the issue was resolved or it still persists. Thank you!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.