Reputation: 15174
I'm trying to use App Service with standard App Registration built-in authentication behind a Front Door with no success.
My setup is:
My App Registration "app-auth" has a redirect URL assigned the Front Door public name example "frontdoor.example.com".
Problems I'm having:
request_uri
query string login in to Azure Active Directory. It must send the Front Door URL.host
header in Front Door fails, as it requires it to match the App Service name.
Am I missing some configuration? Or, do I need to use custom authentication when behind a Front Door?
Upvotes: 3
Views: 3057
Reputation: 161
I found an article describing a solution. https://vincentlauzon.com/2019/07/17/azure-app-service-authentication-with-azure-front-door/
I used self signed ssl certificates. That works fine. Don't forget the "extendedKeyUsage=serverAuth"
openssl genrsa -out key.pem 2048
openssl req -x509 -new -days 1096 -key key.pem -out my.cer -addext "extendedKeyUsage=serverAuth"
openssl pkcs12 -export -inkey key.pem -in ./my.cer -out certificate.pfx
I had to adapt the solution by adding to the webapp as described here: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization You have to do it via the command line. You cannot set it in the portal.
"httpSettings": {
"forwardProxy": {
"convention": "Standard"
}
}
In my front door route mapsI routed the traffic to a subfolder of the web app, this I had to remove as the requests ended in an endless 302 Loop.
Now it works.
Upvotes: 0
Reputation: 755
For me worked changing the auth settings for the Azure Web app. First:
"httpSettings": {
"forwardProxy": {
"convention": "Standard"
By default, I had there "NoProxy".
Second:
"validation": {
"defaultAuthorizationPolicy": {
"allowedPrincipals": {}
},
"allowedAudiences": ["https://<my-url>.z01.azurefd.net",
"https://<my-app-url>.azurewebsites.net"]
I had to add this "allowedAudiences" with urls to frontdoor and original url of the web app. And the last:
"login": {
"allowedExternalRedirectUrls": [
I had to add
https://<my-url>.z01.azurefd.net/.auth/login/aad/callback
Then it started to work. You can download the file by executing:
az rest --uri /subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Web/sites/<site name>/config/authsettingsV2?api-version=2020-09-01 --method get
Update it accordingly and the upload by executing
az rest --uri /subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Web/sites/<site name>/config/authsettingsV2?api-version=2020-09-01 --method put --body @auth.json
Upvotes: 0
Reputation: 581
Instead of inbuilt Azure AD authentication in Azure App service i used custom Azure AD authentication in my dotnet core app by following this stackoverflow answer:
Authentication with Azure AD redirect_uri is incorrect using FrontDoor
I wrote an article on the same refer it here:
https://www.lkgforit.com/2022/10/how-to-setup-azure-front-door-for.html
Upvotes: 0
Reputation: 429
In order for this to work, you need to add the custom domain (frontdoor.example.com) also to your app service. This can be done using DNS verification.
TXT asuid.frontdoor.example.com. <verification id>
To ensure Front Door forwards the request Host Header, the Origin host header
field in your Origin configuration must be blank.
Then, when Front Door forwards the request Host Header (Host: frontdoor.example.com
) the App Service will recognize it and the Azure AD authentication will use it as for redirection.
Upvotes: 1
Reputation: 733
it seems you have misconfigured the redirect URI in your APP service registration in Azure AD, that is where you specify the redirect_URI, it has nothing to do with the app service or the front door itself.
Upvotes: 0