question

KlausBleck-9240 avatar image
0 Votes"
KlausBleck-9240 asked KlausBleck-9240 edited

Bearer token is missing with application proxy

Hey,

i have the problem that the bearer token (authorization header) is missing after the application proxy is forwarding the request to the backend. We have a mobile app that requests an access token and calls a protected api (web api 2 with OWIN) with the bearer token to fetch resources. The backend uses UseOAuthBearerAuthentication-middleware to validate the token.

If the application proxy pre-authentication mode is set to'passthrough', i can see in the IIS log that the authorization header is sent. The UseOAuthBearerAuthentication-middleware authorizes the user successfully. Everything is working. If the mode is set to 'Azure Active Directory', the proxy authenticates the user, but the Authorize attribute throws an 401-exception, because no validation was done. It is visible in the IIS log, that the forwarded request does not contains the authorization header, so i guess it was removed? It makes sense that the UseOAuthBearerAuthentication-middleware cannot validate anything..

I only found this post about this topic:
https://stackoverflow.com/questions/56662612/authorization-header-is-missing-in-request-from-client-via-azure-ad-application

The solution provided there is to create a custom header and then map it on the backend to keep the default security mechanism, but to me, this sounds like a hack and i do not believe, that this is the intended way. So is something missing or wrong configured? I thought the application proxy just authenticates and then forwards the request without modifying it, especially if it is a GET request.

I am thankful for every help!

KB

azure-ad-authenticationazure-ad-application-proxy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers