microsoft-identity-web
microsoft-identity-web copied to clipboard
AzureAD
[Bug] Blazor VS template fails on ARC for App Services as the redirect URI is http not https
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
1.25.1
Web app
Sign-in users
Web API
Not Applicable
Token cache serialization
In-memory caches
Description
I have a Blazor server app, created with the Visual Studio template (recent -- about 30 - 45 days ago), and it authenticates to AAD.
This works fine when deployed to a Windows Azure App Service, .Net 6 This works fine when deployed to a Linux Azure App Service, .Net 6
Both of the above with identical code.
When deploying to an app service created on the Azure Arc preview, the redirect URI is http not https, so login fails.
Reproduction steps
- the CallbackPath appsetting in the app is "/signin-oidc".
- the authentication part of ConfigureServices is:
var initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
services.AddControllersWithViews()
.AddMicrosoftIdentityUI();
I have been changing the redirect URI in the azure portal for the correct domain name. I tried modifying the manifest to force the configured URIs to http, but I received a security error, so that is no longer allowed.
Error message
AADSTS50011: The redirect URI 'http://xxx.eastus.k4apps.io/signin-oidc' specified in the request does not match the redirect URIs configured for the application
Id Web logs
No response
Relevant code snippets
See reproduction steps
Regression
No response
Expected behavior
I should be able to log in with the same code as I do for the actual app service (windows and linux).
@snapfisher : did you see https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers ?
@jmprieur : I did not, but looking at it now. I was not using containers, but -- is ARC for App Services creating a container automagically in ARC when publishing directly from Visual Studio? I have no idea. If I can get this working with these instructions, I think I'm going to file a ticket with them, that they are not consistent, i.e. apps should deploy identical to ARC as they do to the app service, and this deploys to a Linux App Service with no issues. If I can't get it to work, then I don't really know. Trying now....
@jmprieur : That has no effect, which makes sense since the write up seems to imply, "fixed in .net Core 3.0". The only oddity I see, is that when I create the publishing profile in Visual Studio, for my linux app service it says that the site is "https://xxx", which for the ARC linux app service it says that the site is "http://xxx", even though the app service is set to https only. I can manually change the xml of the publishing profile, but that has no effect. So....I'm not sure. Do you think this bug would be better to be resubmitted to https://github.com/dotnet/aspnetcore?
Try setting the environment variable ASPNETCORE_FORWARDEDHEADERS_ENABLED=true on your service. This is something we do by default in the Asp.Net Core container image, but it might not be happening in the ARC containers.
More background: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0#forward-the-scheme-for-linux-and-non-iis-reverse-proxies
That has no effect.
Just so you can double check me....
public void ConfigureServices(IServiceCollection services)
{
var initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
services.AddControllersWithViews()
.AddMicrosoftIdentityUI();
services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy
options.FallbackPolicy = options.DefaultPolicy;
});
services.AddRazorPages();
Environment.SetEnvironmentVariable("ASPNETCORE_FORWARDEDHEADERS_ENABLED", "true");
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
//other stuff follows
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseForwardedHeaders();
//other stuff follows
I also tried it only setting the environment variable, but making no other changes. That had no effect, either.
That variable would need to get set at the start of Program.Main before creating the host.
Try the troubleshooting steps at the bottom: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0#troubleshoot
When I do this -- and I put the env variable set as the very first thing in main, there is no change. I did get logging working. I never see an X-Forwarded-Proto header, and the X-Original-Proto header is always "http". I do see the X-Forwarded-For header, but not the proto header.
If I understood the documentation correctly, I should see an X-Forwarded-Proto header that says "https", which then gets copied to the X-Original-Proto header, yes?
Interesting, it sounds like the middleware is running and getting you those x-original-* headers. Disable the middleware and confirm you get x-forwarded-proto: http. This might be an ARC infrastructure issue.
I can't seem to get the x-forward-proto header to display, so I went back to the actual linux app service, which runs correctly and don't see it there either. I don't know why I can't see it, but the second one is working, with the middleware off, as it was originally. The really interesting thing is that it also has X-Original-Proto: http. So, I'm back to...it's just broke, as from the logs there is no difference between the two.