Override redirect URL in AddMicrosoftAccount() identity OAuth for ASP.NET Core web app

Question

I have a website deployed to Azure. I've used Cloudflare in order to CNAME the azurewebsites domain, and therefore set the redirect URL to the Cloudflare hosted domain name as:

https://www.example.com/signin-microsoft

When I try and login, I get a failure, and the link provided by Microsoft is:

https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.&state=xxx

When I run Fiddler, I can see that the redirect URL passed through by my app, is not the https://www.example.com, but the following:

/common/oauth2/v2.0/authorize?client_id=f0caa31c-3117-4479-a284-65f5a38ff5b6&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_type=code&redirect_uri=https%3A%2F%2Fexample.azurewebsites.net%2Fsignin-microsoft

When I setup the Microsoft OAuth in my app, I have these settings, but I can't find one to override the redirect-url:

services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
{
    microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
    microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:Password"];
});

Does anyone have any suggestions? To complicate the matters, I've got this structure:

• Cloudflare
• Azure CDN
• Azure Web app

Answer 1

Thanks for the tip!

I had to make one small change because my callback path was "/signin-microsoft"

On the RegEx I modified it to the following:

Regex.Replace(context.RedirectUri, "redirect_uri=(.)+%2Fsignin-", "redirect_uri=https%3A%2F%2Fwww.yourcustomdomain.com%2Fsignin-")

Note the "signin-" instead of "signin-oidc"

Answer 2

You can double check the redirect URL is expecting by checking the application AAD reply URLs with the instructions here. This must be an exact match to what you are sending in your request. If can take a few minutes for updates to propagate, so give it some time after you update this setting for errors to resolve.

I was able to override the redirect uri using a similar strategy to the answer in this question.

        .AddMicrosoftAccount(microsoftOptions =>
        {
            microsoftOptions.ClientId = Configuration["AzureAd:AppId"];
            microsoftOptions.ClientSecret = Configuration["AzureAd:Password"];
            microsoftOptions.AuthorizationEndpoint = Configuration["AzureAd:AuthEndpoint"];
            microsoftOptions.CallbackPath = "/signin-oidc";
            microsoftOptions.Events.OnRedirectToAuthorizationEndpoint = context =>
            {
                context.Response.Redirect(Regex.Replace(context.RedirectUri, "redirect_uri=(.)+%2Fsignin-oidc", "redirect_uri=https%3A%2F%2Fwww.yourcustomdomain.com%2Fsignin-oidc"));

                return Task.FromResult(0);
            };
        });

Answer 3

The problem is due to a conflict between CloudFlare's CNAME flattening and Azure's CNAME verification. The CNAME flattening essentially returns A records, which speeds up DNS resolution and is a good idea in general. However, Azure's CNAME verification only verifies CNAME records.

The best workaround I've found is to:

1.Disable CloudFlare's HTTP proxying (click the orange cloud on that CNAME record so that it turns grey); this also disables CNAME flattening for that record.

2.Check your host on dig until you see the CNAME records show up.

3.Verify your CNAME host on the Azure portal.

4.Re-enable CloudFlare's HTTP proxying (click the grey cloud on that CNAME record so it turns orange).

This allows you to verify on Azure and still take advantage of CloudFlare's CDN.

For more details, you could refer to this article.