Front Door + App Service with built-in authentication not working

Question

I'm trying to use App Service with standard App Registration built-in authentication behind a Front Door with no success.

My setup is:

1. An App Service "myapp.azurewebsites.com" with built-in authentication.
2. App Registration "app-auth" as auth provider.
3. I have "app-auth" configured in my App Service for automatic authentication via Provider.
4. Front Door "frontdoor.example.com" forwards requests to my App Service.

My App Registration "app-auth" has a redirect URL assigned the Front Door public name example "frontdoor.example.com".

Problems I'm having:

• App Service keeps sending it's own name "myapp.azurewebsites.com" as request_uri query string login in to Azure Active Directory. It must send the Front Door URL.
  
• Setting up "frontdoor.example.com" host header in Front Door fails, as it requires it to match the App Service name.

Am I missing some configuration? Or, do I need to use custom authentication when behind a Front Door?

Answer 1

I found an article describing a solution. https://vincentlauzon.com/2019/07/17/azure-app-service-authentication-with-azure-front-door/

I used self signed ssl certificates. That works fine. Don't forget the "extendedKeyUsage=serverAuth"

openssl genrsa -out key.pem 2048
openssl req -x509 -new -days 1096 -key key.pem -out my.cer -addext "extendedKeyUsage=serverAuth" 
openssl pkcs12 -export -inkey key.pem -in ./my.cer -out certificate.pfx

I had to adapt the solution by adding to the webapp as described here: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization You have to do it via the command line. You cannot set it in the portal.

"httpSettings": {
  "forwardProxy": {
    "convention": "Standard"
  }
}

In my front door route mapsI routed the traffic to a subfolder of the web app, this I had to remove as the requests ended in an endless 302 Loop. Now it works.

Answer 2

For me worked changing the auth settings for the Azure Web app. First:

"httpSettings": {
  "forwardProxy": {
    "convention": "Standard"

By default, I had there "NoProxy".

Second:

"validation": {
      "defaultAuthorizationPolicy": {
        "allowedPrincipals": {}
      },
      "allowedAudiences": ["https://<my-url>.z01.azurefd.net",
                    "https://<my-app-url>.azurewebsites.net"]

I had to add this "allowedAudiences" with urls to frontdoor and original url of the web app. And the last:

"login": {
  "allowedExternalRedirectUrls": [

I had to add

https://<my-url>.z01.azurefd.net/.auth/login/aad/callback

Then it started to work. You can download the file by executing:

az rest --uri /subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Web/sites/<site name>/config/authsettingsV2?api-version=2020-09-01 --method get

Update it accordingly and the upload by executing

az rest --uri /subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Web/sites/<site name>/config/authsettingsV2?api-version=2020-09-01 --method put --body @auth.json

Answer 3

Instead of inbuilt Azure AD authentication in Azure App service i used custom Azure AD authentication in my dotnet core app by following this stackoverflow answer:

Authentication with Azure AD redirect_uri is incorrect using FrontDoor

I wrote an article on the same refer it here:

https://www.lkgforit.com/2022/10/how-to-setup-azure-front-door-for.html

Answer 4

In order for this to work, you need to add the custom domain (frontdoor.example.com) also to your app service. This can be done using DNS verification.

• Go to your App Service
• Go to Custom Domains
• Copy the Custom Domain Verification ID
• Add a new DNS TXT record with the copied value: TXT asuid.frontdoor.example.com. <verification id>

To ensure Front Door forwards the request Host Header, the Origin host header field in your Origin configuration must be blank.

Then, when Front Door forwards the request Host Header (Host: frontdoor.example.com) the App Service will recognize it and the Azure AD authentication will use it as for redirection.

Answer 5

it seems you have misconfigured the redirect URI in your APP service registration in Azure AD, that is where you specify the redirect_URI, it has nothing to do with the app service or the front door itself.