2

I am unable to understand how to configure Azure AD B2C auth on a .Net Core 3.1 MVC application that has been configured behind an Azure Application Gateway using Back End Pool and Path Based URL mapping.

I have a .Net Core MVC (3.1) app that uses Nuget package (Microsoft.AspNetCore.Authentication.AzureADB2C.UI - v3.1.5).

The appsettings.json file contains:

"AzureAdB2C": {
    "Instance": "...://foo.com/tfp/",
    "ClientId": "guid",
    "CallbackPath": "/Home/Index",
    "Domain": "foo.onmicrosoft.com",
    "SignUpSignInPolicyId": "do",
    "ResetPasswordPolicyId": "re",
    "EditProfilePolicyId": "mi"
  }

startup.cs (in ConfigureServices method) has:

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme).AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));

Azure App Registration: I have created an App Registration with redirect URI:

https://localhost:5555/Home/Index

When working with application locally, everything works without issues / can perform auth.

I deployed the app to an Azure App Service. Thereafter, I updated the App Registration again, this time to include the URI (provisioned by default) of the app service:

https://myapp.azurewebsites.net/Home/Index

When working with application using App Service URL, everything works without issues / can perform auth.

Issue: Trouble happens when I provision a back end pool to point to the app service I just created. The steps I have performed are:

  1. In Application Gateway, clicked on 'backend pools' to create new one with 'target type' as 'app service' and 'target' as the app service I created.
  2. In Application Gateway blade, clicked on 'Rules', updated one of the existing 'path-based' rule (we have configured a listener with a specific URL https://ourdomain.com) to include a path based rule for the backend pool (the one I created).
  3. Then I updated the Azure App registration again, this time to include the backend pool path based URL ourdomain.com/myapp/Home/Index

When Browsing to https://ourdomain.com/myapp, the path resolves and everything works fine; however auth is broken and does not work.

Upon inspection I have noticed that when I 'sign in' using the app service default URL, the call is:

....://foo.com/foo.onmicrosoft.com/b2c_1a_signup_signin_loa0/oauth2/v2.0/authorize?client_id=guid&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2FHome%2FIndex&response_type=id_token&scope=openid%20profile&response_mode=form_post....

The parameter 'Redirect URI' is set as myapp.azurewebsites.net

However when I 'sign in' using the back end pool path (ourdomain.com/myapp), the same 'Redirect URI' is being used?

Surely the redirect URI should have been the one of the backend pool path ourdomain.com/myapp

Why is the Redirect URI (in App Registration) not working for backend pool based path despite being added? Is there something more I need to configure (in Azure / Code). Could you point me in the right direction.

Thank you in advance.

Uday Thakur
  • 25
  • 5

1 Answers1

0

First a word of explanation - Redirect URIs list in app registration is the list of URIs you allow to use with this app registration. They will work fine when the user flow (in your case - b2c_1a_signup_signin_loa0) will be opened using any value from that list for the redirect_uri parameter.

Now a suggestion which you might try, just please be aware I never used the combination you have so I don't have 1:1 experience. However, I guess that your app still "thinks" it is myapp.azurewebsites.net (regardless of you using ourdomain.com) because that's how it is getting hit by Azure Application Gateway. Redirect URI in this case is handled by middleware and you can only change path via CallbackPath option. What you can do is make App Gateway to hit your backend using a specific Host header. This way the proper host will propagate from the App Gateway down to your backend and, hopefully, also to redirect_uri.

Here's docs reference: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview#override-host-header-in-the-request

wojtekdo
  • 374
  • 1
  • 8
  • Thank you for your response and my apologies for the delay in replying. You are right it is the ‘CallbackPath’ that was governing the redirect URI in request. I did try to update ‘CallbackPath’ in appsettings.json to (ourdomain.com/app) but sadly it did not work either. The article you suggested; in particular your suggestion about somehow using a ‘specific Host Header’ lead me to this [link](https://docs.microsoft.com/en-us/azure/application-gateway/troubleshoot-app-service-redirection-app-service-url). Ultimately I had to add rewrite rules (In App Gateway) to make it all work. Thanks. – Uday Thakur Mar 09 '21 at 09:17
  • This is the article that explains the issue further and provides a resolution [link](https://learn.microsoft.com/en-us/azure/application-gateway/troubleshoot-app-service-redirection-app-service-url). Furthermore, this one as well [link](https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers). Ultimately I had to follow this article [link](https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-url-portal). Thank you once again for all your help and taking time to respond to me. – Uday Thakur Mar 09 '21 at 09:21