Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
636 questions
FrontDoor Authorization header
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 93%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Agnija Bako
0
Reputation points
Hi. Whenever a request gets redirected from Azure FrontDoor to the destination host, the Authorization header gets removed from the request. It is specifically the Authorization header that gets removed. If I add a custom headers, all of those get passed further to the destination host.
I am wondering if there is any particular a reason it works like that? Currently we have implemented a workaround to pass the Authorization token under a custom header, but it would be great to know if there is a more elegant solution to this issue.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee2022-03-17T02:03:24.73+00:00 Hello anonymous user, welcome to the Microsoft Q&A forum.
As per the documentation Front Door accepts most headers for the incoming request without modifying them. Some reserved headers are removed from the incoming request if sent, including headers with the X-FD-* prefix.
Can you please let us know what kind of authorization you have set? Do you have a Web Application Firewall Setup for your AFD? and which Header is removed by AFD?
Thank you!
-
Agnija Bako 0 Reputation points
2022-03-17T09:05:19.657+00:00 Hi @ChaitanyaNaykodi-MSFT thank you. Yes indeed I read that in the documentation, however it seemed a bit vague. I tried to look for the particular headers that are removed, but I could not find it in the documentation. I am using Postman to make the request to AFD and have set an authorization method of OAuth2 with Azure AD( like here -https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad). After the token is generated Postman sends the token in a header called - "Authorization". This header ends up being the only one excluded from the request when AFD redirects to the destination host, in our case that is the Traffic Manager. Custom headers and other Postman generated headers, such as - "User-Agent", "Postman-Token" are all passed further down to the destination host. We do not have a Web Application Firewall setup for our AFD. Here is an example of the request and redirect: Request to AFD: ![184047-postman-request.jpg][1] AFD redirect to Traffic manager ![184111-redirected-postman.jpg][2] [1]: /api/attachments/184047-postman-request.jpg?platform=QnA [2]: /api/attachments/184111-redirected-postman.jpg?platform=QnA As you can observe, the "Authorization" header gets removed
-
ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee
2022-03-17T23:33:48.35+00:00 Hello anonymous user, Thank you for providing additional details. I think to help debug this issue we will need to take a closer look at the set-up. If you have a support plan you may file for a support ticket. If you do not have a support plan, please refer to my private message below. (Please let me know if you are unable to see the private message) Thank you!
Sign in to comment