0

tl;dnr In essence, my app was working fine until implementing a shared cookie. Now I have an infinite login redirect loop. I've spent hours mucking about with cookie configurations, testing locally, deploying to Azure, and failing. How can I force HTTPS inside an Azure App Service?

Like many others, I've run into the infinite login loop issue. My application was working fine with ASP.net Core 2.2 (on Dot Net 4.7.1) and then I moved to a "shared Auth cookie". In development, everything works fine from localhost, but as soon as I publish to an Azure App service (.azurewebsites.net domain) , I get the infinite login redirect loop.

To start things off, using an Azure Key Vault, I set up the "Data Protection" services following these instructions link. and set my shared cookie as such for all applications:

services.AddDataProtection()
    .SetApplicationName("custom-app")
    .PersistKeysToAzureBlobStorage(cloudStorageAccount, azureBlobKeyStoragePath)
    .ProtectKeysWithAzureKeyVault(keyVault, clientId, clientSecret);

var authCookie = new CookieBuilder() {
    Name = ".AspNetCore.Auth.SharedCookie",
    Path = "/",
    Domain = ".mycustomdomain.com",
    SecurePolicy = CookieSecurePolicy.SameAsRequest, // tried None as well without luck
    SameSite = SameSiteMode.None, // I've tried Lax without any changes
    HttpOnly = false,
    IsEssential = true //changing this makes no difference
};
services
    .AddAuthentication(sharedOptions => {
        sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultAuthenticateScheme = OpenIdConnectDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    })
    .AddAzureAdB2C(options => configuration.Bind("AzureAdB2C", options))
    .AddCookie(options => { options.Cookie = authCookie; });
...
var corsOrigins = new[] {
    "http://localhost",
    "https://localhost",
    "http://*.mycustomdomain.com",
    "https://*.mycustomdomain.com",
    "http://*.azurewebsites.net",
    "https://*.azurewebsites.net",
    "https://*.onmicrosoft.com",
    "https://login.microsoftonline.com"
};

app.UseCors(cors => {
    cors.WithOrigins(corsOrigins)
    .SetIsOriginAllowedToAllowWildcardSubdomains()
    .AllowCredentials();
    cors.AllowAnyHeader();
    cors.AllowAnyMethod();
});

Other than configuring the "Data Protection" services and additional CORS domains, no other changes were made to the application code.

My application is configured for HTTPS ... https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-2.2

...
app.UseHsts();
...
app.UseHttpsRedirection();
...

And I also verified that my Azure App Service is set for HTTPS access on both the "Custom domains" and "SSL settings" options.

Based on all the posts I have come across, I understand that the main issue may have to do with HTTPS redirecting from the Azure ADB2C endpoints and the shared cookie not being stored/read properly. THe reverse proxy drops the HTTPS and only calls HTTP. I just can't seem to figure out which combination should work. I am using the OutofProcess host, and I can see that the internal calls are HTTP. How can I get these to be HTTPS?

Side Note: I tried changing the Correlation or Nonce cookie domains as well, but this results in Correlation Errors.

TIA, any direction pointing would be appreciated.

Short list of posts I've referenced:

ACG
  • 750
  • 2
  • 6
  • 16

1 Answers1

0

After some time off studying my configuration and creating a test app from scratch ... I came across the following post:

ASP.NET Core Sharing Identity Cookie across azure web apps on default domain (*.azurewebsites.net)

My current assumption is that this is indeed the culprit, I will try a new test tonight with one of my custom domains and see what happens.

ACG
  • 750
  • 2
  • 6
  • 16