you need to configure the rewrite header in the proxy,
https://azure.microsoft.com/en-us/blog/rewrite-http-headers-with-azure-application-gateway/
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have the following code for running my Razor page web app with AzureAD authentication with OpenIdConnect using (I think) the latest and greatest with .NET6. When deployed, my application is put behind a proxy server which causes the login path to redirect to the internal azurewebsites.net/signin-oidc instead of my public application URL. Locally this all works fine, but because the production server sits behind the proxy server in Azure, once I get through the Azure login successfully, I think the inner workings of OpenIDConnect is causing the proxy server to be seen as the requesting URI instead of my app. Trying to figure out what is needed to attempt to force OpenIdConnect to go to a defined URI (or to my actual app URI.) Below is my Program.cs along with my appsettings.json.
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using Microsoft.EntityFrameworkCore;
using Centrix.Admin.API.Data;
using Microsoft.AspNetCore.HttpOverrides;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
//.AddOpenIdConnect(options =>
//{
// options.CallbackPath = "My public web address";
//})
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddAuthorization(options => {
// By default, all incoming requests will be authorized according to the default policy.
options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages().AddMicrosoftIdentityUI();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment()) {
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
var forwardedHeaderOptions = new ForwardedHeadersOptions {
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
app.UseForwardedHeaders(forwardedHeaderOptions);
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapRazorPages();
app.MapControllers();
app.Run();
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain.onmicrosoft.com",
"TenantId": "GUID",
"ClientId": "GUID",
"ClientSecret": "",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"DatabaseConnection": {
"SQLServerEndpoint": "Endpoint",
"DatabaseName": "DBName"
}
}
Request Id: 2ef5afc7-c10f-4991-91dc-44d1e5134b00
Correlation Id: 79409134-fe4c-4a62-a131-2e9dd60096c7
Timestamp: 2023-07-12T19:26:51Z
Message: AADSTS50011: The redirect URI 'https://proxy.azurewebsites.net/signin-oidc' specified in the request does not match the redirect URIs configured for the application. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
you need to configure the rewrite header in the proxy,
https://azure.microsoft.com/en-us/blog/rewrite-http-headers-with-azure-application-gateway/
Specifically my issue was with our proxy (Cloudflare) which does not send the X-Forwarded-Host header (this is where OpenIdConnect is expecting the appropriate redirect URI.) Instead Cloudflare only sends the X-Original-Host header. In order to pass the appropriate URI to OpenIdConnect, I had to create a new middleware that takes the URI out of the X-Original-Host and sets it to the X-Forwarded-Header. Then, ensure that I had XForwardedHost headers processed and everything flowed correctly after that. Below is what I ended up with in my Program.cs:
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedHost;
});
...
app.Use(async (context, next) =>
{
context.Request.Headers.Add("X-Forwarded-Host", context.Request.Headers["X-Original-Host"]);
// Call the next delegate/middleware in the pipeline.
await next(context);
});