Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions
Bearer token is missing with application proxy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 0%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
Klaus Bleck
16
Reputation points
Hey,
i have the problem that the bearer token (authorization header) is missing after the application proxy is forwarding the request to the backend. We have a mobile app that requests an access token and calls a protected api (web api 2 with OWIN) with the bearer token to fetch resources. The backend uses UseOAuthBearerAuthentication-middleware to validate the token.
If the application proxy pre-authentication mode is set to'passthrough', i can see in the IIS log that the authorization header is sent. The UseOAuthBearerAuthentication-middleware authorizes the user successfully. Everything is working. If the mode is set to 'Azure Active Directory', the proxy authenticates the user, but the Authorize attribute throws an 401-exception, because no validation was done. It is visible in the IIS log, that the forwarded request does not contains the authorization header, so i guess it was removed? It makes sense that the UseOAuthBearerAuthentication-middleware cannot validate anything..
I only found this post about this topic:
https://stackoverflow.com/questions/56662612/authorization-header-is-missing-in-request-from-client-via-azure-ad-application
The solution provided there is to create a custom header and then map it on the backend to keep the default security mechanism, but to me, this sounds like a hack and i do not believe, that this is the intended way. So is something missing or wrong configured? I thought the application proxy just authenticates and then forwards the request without modifying it, especially if it is a GET request.
I am thankful for every help!
KB