1

I have a Java webapp running on Tomcat deployed to Azure App Service. The authentication is handled via Azure AD. Everything seems to working fine in Local environment.

When we deploy the app to Azure, the httpRequest.getScheme() always return HTTP irrespective if the call is made from HTTPS endpoint.

As a result the redirect URL is constructed with HTTP endpoint and doesn't match the redirect URL specified in the Azure AD App Registrations. The redirectUrl is constructed as follows.

String currentUri = httpRequest.getRequestURL().toString(); String redirectUrl = authority + tenant + "/oauth2/authorize? response_type=code&scope=user.read.all&response_mode=form_post&redirect_uri=" + URLEncoder.encode(currentUri, "UTF-8") + "&client_id=" + clientId + "&resource=https%3a%2f%2fgraph.microsoft.com" + "&state=" + state + "&nonce=" + nonce;

I have searched and found this- https://creechy.wordpress.com/2011/08/22/ssl-termination-load-balancers-java/ .The Load Balancer might causes this type of issue and we need to modify the Tomcat configuration.

The applications works without any issues if we deploy the WAR file on On-prem servers. Issue occurs only in Azure.

The redirectUrl always contains http://xxxxx.azurewebsites.net but in the App registrations the redirectUrl is specified as https://xxxx.azurewebsites.net

Has anyone else faced this issue ? How can this be avoided ?

AhmedVali
  • 185
  • 2
  • 16
  • Did you bind ssl certificate in Azure app service? https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate – Tony Ju Nov 11 '19 at 03:23
  • If you want to use `http://xxxxx.azurewebsites.net ` as the redirect url, you can use App registrations(Legacy). – Tony Ju Nov 11 '19 at 03:26
  • Hi Tony , Thank you for the response. I do not want a custom domain. I was hoping *.azurewebsites.net certificate is enough. Isn't it enough ? Also I have enabled "Always HTTPS" in the TLS/SSL Settings from Portal. – AhmedVali Nov 11 '19 at 05:59
  • Hi Tony, Here is the similar case which I am experiencing - https://stackoverflow.com/questions/49189883/how-to-set-redirect-uri-protocol-to-https-in-azure-web-apps?rq=1. This is in Asp.Net though I am looking into Java and I cant modify the Tomcat configuration in this case. – AhmedVali Nov 11 '19 at 06:18

1 Answers1

1

I have done some research on this. Inside Azure web app, it will always use http as the protocol. You can get the real protocol from the request header.

String currentUri = httpRequest.getRequestURL().toString();
String realProto=httpRequest.getHeader("x-forwarded-proto");
if(realProto!=null)     currentUri=currentUri.replaceFirst("http",realProto);
Tony Ju
  • 14,891
  • 3
  • 17
  • 31