Issues with OpenIdConnect and MS Identity Web behind a proxy server

Paul Chamberlain 0 Reputation points
2023-07-12T19:58:17.7933333+00:00

I have the following code for running my Razor page web app with AzureAD authentication with OpenIdConnect using (I think) the latest and greatest with .NET6. When deployed, my application is put behind a proxy server which causes the login path to redirect to the internal azurewebsites.net/signin-oidc instead of my public application URL. Locally this all works fine, but because the production server sits behind the proxy server in Azure, once I get through the Azure login successfully, I think the inner workings of OpenIDConnect is causing the proxy server to be seen as the requesting URI instead of my app. Trying to figure out what is needed to attempt to force OpenIdConnect to go to a defined URI (or to my actual app URI.) Below is my Program.cs along with my appsettings.json.

using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using Microsoft.EntityFrameworkCore;
using Centrix.Admin.API.Data;
using Microsoft.AspNetCore.HttpOverrides;
var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    //.AddOpenIdConnect(options =>
    //{     
	//    options.CallbackPath = "My public web address";
    //})
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));  

builder.Services.AddAuthorization(options => {
    // By default, all incoming requests will be authorized according to the default policy.     
	options.FallbackPolicy = options.DefaultPolicy;
});

builder.Services.AddRazorPages().AddMicrosoftIdentityUI();

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment()) {
	app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.     
	app.UseHsts(); 
}

var forwardedHeaderOptions = new ForwardedHeadersOptions {
	ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};

app.UseForwardedHeaders(forwardedHeaderOptions);
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();  
app.UseAuthentication(); 
app.UseAuthorization();  
app.MapRazorPages(); 
app.MapControllers();  
app.Run();
{     
	"AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
		"Domain": "mydomain.onmicrosoft.com",
        "TenantId": "GUID",
        "ClientId": "GUID",
        "ClientSecret": "",         
		"CallbackPath": "/signin-oidc"
    },
	"Logging": {
		"LogLevel": {       
			"Default": "Information",
			"Microsoft.AspNetCore": "Warning"
		}
	},
	"AllowedHosts": "*",
	"DatabaseConnection": {         
		"SQLServerEndpoint": "Endpoint",
        "DatabaseName": "DBName"     
	} 
}

Request Id: 2ef5afc7-c10f-4991-91dc-44d1e5134b00

Correlation Id: 79409134-fe4c-4a62-a131-2e9dd60096c7

Timestamp: 2023-07-12T19:26:51Z

Message: AADSTS50011: The redirect URI 'https://proxy.azurewebsites.net/signin-oidc' specified in the request does not match the redirect URIs configured for the application. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
3,999 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,603 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Bruce (SqlWork.com) 52,486 Reputation points
    2023-07-12T22:23:29.1966667+00:00

  2. Paul Chamberlain 0 Reputation points
    2023-07-19T19:19:15.17+00:00

    Specifically my issue was with our proxy (Cloudflare) which does not send the X-Forwarded-Host header (this is where OpenIdConnect is expecting the appropriate redirect URI.) Instead Cloudflare only sends the X-Original-Host header. In order to pass the appropriate URI to OpenIdConnect, I had to create a new middleware that takes the URI out of the X-Original-Host and sets it to the X-Forwarded-Header. Then, ensure that I had XForwardedHost headers processed and everything flowed correctly after that. Below is what I ended up with in my Program.cs:

    builder.Services.Configure<ForwardedHeadersOptions>(options => 
    {
         options.ForwardedHeaders = ForwardedHeaders.XForwardedHost;
    });
    ...
    app.Use(async (context, next) =>
    {
         context.Request.Headers.Add("X-Forwarded-Host", context.Request.Headers["X-Original-Host"]);
         // Call the next delegate/middleware in the pipeline.
         await next(context);
    });