Evandro Pomatti
Evandro Pomatti

Reputation: 15174

Front Door + App Service with built-in authentication not working

I'm trying to use App Service with standard App Registration built-in authentication behind a Front Door with no success.

My setup is:

  1. An App Service "myapp.azurewebsites.com" with built-in authentication.
  2. App Registration "app-auth" as auth provider.
  3. I have "app-auth" configured in my App Service for automatic authentication via Provider.
  4. Front Door "frontdoor.example.com" forwards requests to my App Service.

My App Registration "app-auth" has a redirect URL assigned the Front Door public name example "frontdoor.example.com".

Problems I'm having:

Am I missing some configuration? Or, do I need to use custom authentication when behind a Front Door?

Upvotes: 3

Views: 3057

Answers (5)

Tobi
Tobi

Reputation: 161

I found an article describing a solution. https://vincentlauzon.com/2019/07/17/azure-app-service-authentication-with-azure-front-door/

I used self signed ssl certificates. That works fine. Don't forget the "extendedKeyUsage=serverAuth"

openssl genrsa -out key.pem 2048
openssl req -x509 -new -days 1096 -key key.pem -out my.cer -addext "extendedKeyUsage=serverAuth" 
openssl pkcs12 -export -inkey key.pem -in ./my.cer -out certificate.pfx

I had to adapt the solution by adding to the webapp as described here: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization You have to do it via the command line. You cannot set it in the portal.

"httpSettings": {
  "forwardProxy": {
    "convention": "Standard"
  }
}

In my front door route mapsI routed the traffic to a subfolder of the web app, this I had to remove as the requests ended in an endless 302 Loop. enter image description here Now it works.

enter image description here

Upvotes: 0

Adrian Stanisławski
Adrian Stanisławski

Reputation: 755

For me worked changing the auth settings for the Azure Web app. First:

"httpSettings": {
  "forwardProxy": {
    "convention": "Standard"

By default, I had there "NoProxy".

Second:

"validation": {
      "defaultAuthorizationPolicy": {
        "allowedPrincipals": {}
      },
      "allowedAudiences": ["https://<my-url>.z01.azurefd.net",
                    "https://<my-app-url>.azurewebsites.net"]

I had to add this "allowedAudiences" with urls to frontdoor and original url of the web app. And the last:

"login": {
  "allowedExternalRedirectUrls": [

I had to add

https://<my-url>.z01.azurefd.net/.auth/login/aad/callback

Then it started to work. You can download the file by executing:

az rest --uri /subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Web/sites/<site name>/config/authsettingsV2?api-version=2020-09-01 --method get

Update it accordingly and the upload by executing

az rest --uri /subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Web/sites/<site name>/config/authsettingsV2?api-version=2020-09-01 --method put --body @auth.json

Upvotes: 0

Sanjeevi Subramani
Sanjeevi Subramani

Reputation: 581

Instead of inbuilt Azure AD authentication in Azure App service i used custom Azure AD authentication in my dotnet core app by following this stackoverflow answer:

Authentication with Azure AD redirect_uri is incorrect using FrontDoor

I wrote an article on the same refer it here:

https://www.lkgforit.com/2022/10/how-to-setup-azure-front-door-for.html

Upvotes: 0

Stan Janssen
Stan Janssen

Reputation: 429

In order for this to work, you need to add the custom domain (frontdoor.example.com) also to your app service. This can be done using DNS verification.

  • Go to your App Service
  • Go to Custom Domains
  • Copy the Custom Domain Verification ID
  • Add a new DNS TXT record with the copied value: TXT asuid.frontdoor.example.com. <verification id>

App Service Custom Domain Verification ID (image)

To ensure Front Door forwards the request Host Header, the Origin host header field in your Origin configuration must be blank.

Then, when Front Door forwards the request Host Header (Host: frontdoor.example.com) the App Service will recognize it and the Azure AD authentication will use it as for redirection.

Upvotes: 1

Matt Douhan
Matt Douhan

Reputation: 733

it seems you have misconfigured the redirect URI in your APP service registration in Azure AD, that is where you specify the redirect_URI, it has nothing to do with the app service or the front door itself.

Upvotes: 0

Related Questions