Publish an App Service with Azure AD authentition on Azure Application Gateway

Question

Hello,

I did raise a Microsoft ticket to publish my App Service with Azure AD authentication and the solution proposed was to configure my custom domain on my App Service, this solution works and doesn’t need url rewrite but I’m not comfortable with it.

I would have preferred to keep the public custom domain, certificate and dns staff fully managed on the Application Gateway which could then be managed by a unique Cyber Security team for example. The App Service could then be fully managed by an App team which doesn’t have to take care about the company custom domains, dns and certificate management.

I tried the solution explained here, it consists in using Application Gateway url rewrite, the redirection and the Azure AD authentication works but my app service displays the following error, there is the script I used to publish my App Service with the url rewrite.

The error on the App Service :
Call to HTTP endpoint https://login.windows.net/79b44d42-bab4-49b3-9bbc-cf05592953a0/oauth2/token
failed: 400 (Bad Request). Partial response: {"error":"invalid_client","error_description":"AADSTS500112:
The reply address 'https://dev-myapp1-apiapp1.azurewebsites.net:443/.auth/login/aad/callback'
does not match the reply address 'https://myapp1-api-dev.dld23.com/.auth/login/aad/callback' provided when requesting Authorization code.

Thank you for your help,
Jamesdld

Answer 1

Looking at the error message, it seems the configured reply address on App registration on Azure AD is not matching with the address where is response is coming back to. You can configure multiple reply addresses so add both the urls (in the error) to your app registration on Azure AD.

Answer 2

Hi @Anonymous , just curious if you got this to work?

Any tips in addition to the guide mentioned (https://blog.gaikovoi.dev/2020/04/azure-application-gateway-http-headers.html) to make it work?

Thanks!

Answer 3

I am having the same issue. Would love to know if this can be solved.

I read here it might be something to do witb client secret

https://stackoverflow.com/questions/47789655/azure-web-app-easyauth-callback-throws-error

But i will have to check tomorrow with the infra team to compare.

Answer 4

I everyone,

I just discussed with Dimitri concerning his blog and our use cases are different but I really thank him for his time.
To summarize -->

"For App Service that require Azure App Service built-in authentication and authorization, the solution the solution consists in declaring your custom domain in the App Service and configure the Application Gateway HTTP setting without overriding “with new host name”.

Also please find here "Publish Services with Azure Application Gateway" a blog post that demonstrates how to publish Web Sites with a common script.

Regards,
Jamesdld

Answer 5

Hi,

I think I ran into this issue today with my application trying to authenticate against AAD using OIDC.

Here is what happens in my case:

1. My app redirects the user to AAD, providing a redirect URI HTTPS://my.domain:443/app
2. User authenticates and is redirected back with authorization code, all good so far
3. The app calls AAD token endpoint, providing the code and the same redirect URI
4. AAD refuses the call with error AADSTS500112: The reply address 'HTTPS://my.domain:443/app' does not match the reply address 'HTTPS://my.domain/app' provided when requesting Authorization code.

If I manually call the token endpoint, removing the port number from the redirect URI, it works.

So it seems to me AAD modifies the stored redirect URI between the authentication and token steps, removing the port number 443 from it.

This is clearly not desired behavior, as the port number is part of the redirect URI.