CODEWITHSUNDEEP
.netidentityserver4apim
suman
suman

Reputation: 195

APIM and Identity Server not working with eachother

I have a web service that uses our identity server to login. On successful login, we are redirected (302) to POST method on /signin-oidc with the claims.

Apim has a url myapp.azure-api.net that is routed to a backend url myapp.srv.internal. The backend url points directly to the web service internally. When accessing the web service directly, it goes through the nginx and everything works properly.

When accessing it from apim url, the redirection to signin-oidc endpoint from identity server loses crucial headers that sets cookies on response. And it goes on a loop. [Note the set-cookie header is broken into two chunks because its large.]

My nginx annotations that serves when accessing service directly.

    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-methods: "*"
    nginx.ingress.kubernetes.io/cors-allow-headers: "*"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
    cert-manager.io/issuer: web
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Port $server_port;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

My apim policies

<inbound>
        <base />
        <cors allow-credentials="true">
            <allowed-origins>
                <origin>https://myapp.azure-api.net</origin>
                <origin>https://myfrontdoor-url.com</origin>
            </allowed-origins>
            <allowed-methods>
                <method>GET</method>
                <method>POST</method>
                <method>HEAD</method>
                <method>OPTIONS</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <set-header name="X-Forwarded-Proto" exists-action="override">
            <value>https</value>
        </set-header>
    </inbound>
    <!-- Control if and how the requests are forwarded to services  -->
    <backend>
        <forward-request follow-redirects="false" buffer-response="true" />
    </backend>
    <!-- Customize the responses -->
    <outbound>
        <base />
        <set-header name="Cache-Control" exists-action="override">
            <value>no-cache;no-store</value>
        </set-header>
    </outbound>
    <!-- Handle exceptions and customize error responses  -->
    <on-error>
        <base />
    </on-error>

Response header when accessing directly that works.

true
access-control-allow-headers:
DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization
access-control-allow-methods:
GET, PUT, POST, DELETE, PATCH, OPTIONS
access-control-allow-origin:
*
access-control-max-age:
1728000
cache-control:
no-cache,no-store
content-length:
0
date:
Thu, 27 Feb 2025 23:30:35 GMT
expires:
Thu, 01 Jan 1970 00:00:00 GMT
location:
/
pragma:
no-cache
set-cookie:
.AspNetCore.Correlation.OJC1nD9xx9TE5BFj9j8R_3an0VIcBtXNlTUykdLm4k0=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; secure; samesite=none; httponly
set-cookie:
.AspNetCore.OpenIdConnect.Nonce.hash=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; secure; samesite=none; httponly
set-cookie:
.AspNetCore.Cookies=chunks-2; path=/; secure; samesite=none; httponly
set-cookie:
.AspNetCore.CookiesC1=hash1; path=/; secure; samesite=none; httponly
set-cookie:
.AspNetCore.CookiesC2=hash2

Response header when through apim

access-control-allow-origin:
*
access-control-expose-headers:
Authorization
cache-control:
no-cache;no-store
chak:
mujis
content-length:
0
date:
Fri, 28 Feb 2025 23:38:09 GMT
expires:
Thu, 01 Jan 1970 00:00:00 GMT
location:
/
pragma:
no-cache
set-cookie:
.AspNetCore.Correlation.RrRlw19ENOqCXyS7wbciglg7fIZ0Zo31USaYHX81f9E=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; secure; samesite=none; httponly
set-cookie:
.AspNetCore.OpenIdConnect.Nonce.noncehash; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; secure; samesite=none; httponly
set-cookie:
.AspNetCore.Cookies=chunks-2; path=/; secure; samesite=none; httponly
set-cookie:
ASLBSA=00031beafc921ba8ae7f90d13efbf6c9d220f7ae97f452680d26f3e179a67cf3ebfd; Path=/; Secure; HttpOnly;
set-cookie:
ASLBSACORS=00031beafc921ba8ae7f90d13efbf6c9d220f7ae97f452680d26f3e179a67cf3ebfd; SameSite=none; Path=/; Secure; HttpOnly;

x-azure-ref:
20250228T233809Z-17b7757fd454dsd9hC1SJCh5xc0000000nk0000000008f1v
x-cache:
CONFIG_NOCACHE

Upvotes: 0

Views: 13

Answers (0)

Related Questions