Share via

Azure Application Proxy token based access

Myroslav Budzanivskyi 1 Reputation point
2020-11-11T13:18:23.13+00:00

Implemented test windows application based on official manual: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application

Following code is a result: 

    IPublicClientApplication clientApp = PublicClientApplicationBuilder  
                .Create("Native App Client Id")  
                .WithRedirectUri("http://localhost")  
                .WithAuthority("https://login.microsoftonline.com/"My Tenant ID"")  
                .Build();  
      
                Microsoft.Identity.Client.AuthenticationResult authResult = null;  
                var accounts = await clientApp.GetAccountsAsync();  
                IAccount account = accounts.FirstOrDefault();  
      
                IEnumerable<string> scopes = new string[] { "api://"APP Proxy Uri"/user_impersonation" };  
      
                try  
                {  
                    authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();  
                }  
                catch (MsalUiRequiredException ex)  
                {  
                    authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();  
                }  
      
                if (authResult != null)  
                {  
                    HttpClient httpClient = new HttpClient();  
                    httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);  
                    HttpResponseMessage response = await httpClient.GetAsync("App Proxy based URL"+ "/api/values");

Everything works fine until HTTP request with a token, it is being redirected to login.microsoft.com: https://i.stack.imgur.com/GUe7l.png

Redirect URI to login.microsoft.com: {https://login.microsoftonline.com/9966XXXXXXXXXXXXXXXXXXXXXXXX/oauth2/authorize?response_type=code&client_id=XXXXXXXXXXXX&scope=openid&nonce=983XXXXXXXXXXXXXX&redirect_uri=https:%2f%2fXXXXXXX.msappproxy.net%2f&state=AppProxyState:{"InvalidTokenRetry":true%2c"IsMsofba":false%2c"OriginalRawUrl":"https:%5c%2f%5c%2fXXXXXXXXXXXXXXX.msappproxy.net%5c%2fapi%5c%2fvalues"%2c"RequestProfileId":"XXXXXXXXX"}%23EndOfStateParam%23&client-request-id=XXXXXXXX}

Any ideas what's wrong? Browser access works just fine, also JWT token is fully valid and being passed correctly.

This happens for me from Windows (c#, MSAL .Net), iOS (MSAL for iOS) and Android (ADAL for Android)

Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sweha 6 Reputation points
    2021-02-25T04:50:23.827+00:00

    I have a similar situation for a browser based application. This is what is captured through fiddler.

    HTTP/1.1 302 Found
    Content-Length: 0
    Location: https://login.microsoftonline.com/XXXXX-XXXXX-XXXX-XXXX-XXXX/oauth2/authorize?response_type=code&client_id=XXXX-XXXXX-XXXX-XXXX-XXXX&scope=openid&nonce=XXXX-XXXXX-XXXX-XXXX-XXXX&redirect_uri=https%3a%2f%2fmysitethroughazureappproxy.com%2f&state=AppProxyState%3a%7b%22InvalidTokenRetry%22%3anull%2c%22IsMsofba%22%3afalse%2c%22OriginalRawUrl%22%3a%22https%3a%5c%2f%5c%2fmysitethroughazureappproxy.com%5c%2farcgis%5c%2frest%5c%2fservices%5c%2fmyache%5c%2fMapServer%3ff%3djson%22%2c%22RequestProfileId%22%3anull%7d%23EndOfStateParam%23&client-request-id=XXXXXXX-XXXXX-XXXX-XXX
    x-ms-proxy-app-id: XXXXXXX-XXXXX-XXXX-XXX
    x-ms-proxy-group-id: XXXXXXX-XXXXX-XXXX-XXX
    x-ms-proxy-subscription-id: XXXXXXX-XXXXX-XXXX-XXX
    x-ms-proxy-transaction-id: XXXXXXX-XXXXX-XXXX-XXX
    x-ms-proxy-service-name: proxy-appproxy-YYY-XXXXXX-7
    x-ms-proxy-data-center: YYY
    Nel: {"report_to":"network-errors","max_age":86400,"success_fraction":0.001,"failure_fraction":1.0}
    Report-To: {"group":"network-errors","max_age":86400,"endpoints":[{"url":"https://zzz.nnnnreports.xxx/api/report?ggg=proxy-appproxy-YYY-xxxxxxx-7"}]}
    Have two app proxies. Application A and application B. Both are configured with azure AAD SSO Preauth.
    Application A requests some rest services from application B.
    User loads application A through azure external url and is only having issues when it is requesting services on application B.

    If I manually paste the url above, in another browser session, I get authenticated and receive the json response back.
    Then if I switch back to the browser session for Applicaiton A and refresh it, application A now works as normal with data from application B.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.