How to get Azure OIDC to respect my redirect URI?

Question

I have an app hosted on Azure PaaS using Open ID Connect for auth.

The app URL is like: https://env.app.entity.my.domain
The Azure ASE is: https://entity-app-env-web.webenvase.my.domain

As long as I configure a redirect URI for https://entity-app-env-web.webenvase.my.domain/signin-oidc in Azure, it works. That's because it's ignoring the redirect URI in my settings. But that's not what I want. I will obviously want to return the user to the app's URL.

No matter what values I put for my RedirectUri or CallbackPath, it defaults to the ASE URL. How can I fix that?

appsettings.json:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Issuer": "https://sts.windows.net/<tenant id>/",
  "Domain": "my.azure.domain",
  "TenantId": "<tenant id>",
  "ClientId": "<client id>",
  "RedirectUri": "https://env.app.entity.my.domain/signin-oidc"
}

Startup.cs (auth config):

services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
services.AddControllersWithViews(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .RequireRole(Role.Administrator)
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
})
.AddMicrosoftIdentityUI();

Why didn't you add `https://env.app.entity.my.domain/signin-oidc` to Azure? — Carl Zhao, Apr 14 '21 at 01:55
@CarlZhao, it's there; doesn't matter. Using the above configuration with the redirect uri configured in Azure, the auth passes `https://entity-app-env-web.webenvase.my.domain/signin-oidc` as the `redirect_uri` query param. — ChiefTwoPencils, Apr 14 '21 at 02:26
You mean that even if `RedirectUri` is configured to `https://env.app.entity.my.domain/signin-oidc` in `Azure portal` and `appsettings.json`. But it will still redirect to `https://entity-app-env-web.webenvase.my.domain` url? — Carl Zhao, Apr 14 '21 at 02:33
This is strange. What if you delete `https://entity-app-env-web.webenvase.my.domain` in Azure and then add `https://env.app.entity.my.domain/signin-oidc`? — Carl Zhao, Apr 14 '21 at 02:37
Yes, it is. I get an error about not having a matching redirect configured in azure. I can post the exact error and message when I return. — ChiefTwoPencils, Apr 14 '21 at 02:51
Is there only one redirect URL `https://env.app.entity.my.domain/signin-oidc` in your Azure currently? — Carl Zhao, Apr 14 '21 at 02:59
And your `appsettings.json` also determines that RedirectUri is configured as `https://env.app.entity.my.domain/signin-oidc`, right? — Carl Zhao, Apr 14 '21 at 03:01
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/231091/discussion-between-chieftwopencils-and-carl-zhao). — ChiefTwoPencils, Apr 14 '21 at 03:03

score 1 · Accepted Answer · answered Apr 29 '21 at 22:37

1

I found from this answer and elsewhere that the redirect uri is automatically calculated not using the value from the configs. The one in the configs will be used in some cases but not for the auth call to Azure.

After monkeying around with it for some time our server team started removing rules on the f5 and we found that the header rewrite rule that is typical for our other apps was the issue. Specifically, it was causing the auth cookie to be rejected and stripped at the browser during redirection.

We removed the rule and all is well again.

answered Apr 29 '21 at 22:37

ChiefTwoPencils

13,548
8
49
75

Hey @ChiefTwoPencils I'm in the same situation, where we use a Reverse Proxy to have a different URL than the one provided by Azure. Can you elaborate a bit more on what changes were done? And you did not need to change any .NET code? – Depechie Jun 30 '22 at 07:04
1

@Depechie, there was no code changes necessary. The f5 is managed by another team so unfortunately I don't know the specifics of it. I do believe we had to register a custom domain in azure that matched the public URL. I can try to see if I can get some more info for you. – ChiefTwoPencils Jun 30 '22 at 21:53

How to get Azure OIDC to respect my redirect URI?

1 Answers1

Linked