This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 85%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
I have the following code for running my Razor page web app with AzureAD authentication with OpenIdConnect using (I think) the latest and greatest with .NET6. When deployed, my application is put behind a proxy server which causes the login path to redirect to the internal azurewebsites.net/signin-oidc instead of my public application URL. Locally this all works fine, but because the production server sits behind the proxy server in Azure, once I get through the Azure login successfully, I think the inner workings of OpenIDConnect is causing the proxy server to be seen as the requesting URI instead of my app. Trying to figure out what is needed to attempt to force OpenIdConnect to go to a defined URI (or to my actual app URI.) Below is my Program.cs along with my appsettings.json.
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using Microsoft.EntityFrameworkCore;
using Centrix.Admin.API.Data;
using Microsoft.AspNetCore.HttpOverrides;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
//.AddOpenIdConnect(options =>
//{
// options.CallbackPath = "My public web address";
//})
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddAuthorization(options => {
// By default, all incoming requests will be authorized according to the default policy.
options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages().AddMicrosoftIdentityUI();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment()) {
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
var forwardedHeaderOptions = new ForwardedHeadersOptions {
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
app.UseForwardedHeaders(forwardedHeaderOptions);
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapRazorPages();
app.MapControllers();
app.Run();
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain.onmicrosoft.com",
"TenantId": "GUID",
"ClientId": "GUID",
"ClientSecret": "",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"DatabaseConnection": {
"SQLServerEndpoint": "Endpoint",
"DatabaseName": "DBName"
}
}
Request Id: 2ef5afc7-c10f-4991-91dc-44d1e5134b00
Correlation Id: 79409134-fe4c-4a62-a131-2e9dd60096c7
Timestamp: 2023-07-12T19:26:51Z
Message: AADSTS50011: The redirect URI 'https://proxy.azurewebsites.net/signin-oidc' specified in the request does not match the redirect URIs configured for the application. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
you need to configure the rewrite header in the proxy,
https://azure.microsoft.com/en-us/blog/rewrite-http-headers-with-azure-application-gateway/
I think the problem is that the proxy in place is only forwarding the correct header in the X-ORIGINAL-HOST header. I can't configure the proxy to my liking and am stuck with the forwarded header I need being sent there. I am wondering if I can pull that header and apply it to wherever OpenID Connect is pulling from (which appears to be either Host, DISGUISED-HOST, or X-SITE-DEPLOYMENT based on what I can see set in the headers.)
I am attempting a combination of these settings to see if I can get anything to work, but so far nothing seems to help.
Specifically my issue was with our proxy (Cloudflare) which does not send the X-Forwarded-Host header (this is where OpenIdConnect is expecting the appropriate redirect URI.) Instead Cloudflare only sends the X-Original-Host header. In order to pass the appropriate URI to OpenIdConnect, I had to create a new middleware that takes the URI out of the X-Original-Host and sets it to the X-Forwarded-Header. Then, ensure that I had XForwardedHost headers processed and everything flowed correctly after that. Below is what I ended up with in my Program.cs:
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedHost;
});
...
app.Use(async (context, next) =>
{
context.Request.Headers.Add("X-Forwarded-Host", context.Request.Headers["X-Original-Host"]);
// Call the next delegate/middleware in the pipeline.
await next(context);
});
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 0%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
I'm a similar situation in which the Cloudflare proxy interrupts the process of signing in an Azure AD user via AddOpenIdConnect. The browser is forever stuck in https://login.microsoftonline.com/common/reprocess?. I tried your solution, but to no avail. Where did you place your custom middleware?