Change redirect_uri for app service web app with AAD authentication

Svetoslav Vasilev 1 Reputation point
2021-01-27T14:28:20.56+00:00

Hi, we struggle with the following challenge at a client:

  • app service web app had to get AAD security enabled. This in order to improve security for APIs that are hosted in it.
  • when accessing from the public URL it nicely asks for login, yet once login is successfull it redirects back to the internal URL.
  • this is unacceptable as the API clients see only the public API. THis imposes challenges on displaying the OpenAPI/swagger documentation.

We tried many options yet nothing seems to work:

  • configured custom domain with certificate. etc - still the redirect_uri contains the internal URL. This was done with the already existing AD service identity
  • tried removing the internal URL from Redirect URLs and leaving only the public one, still the internal one appears. But then we get an error saying that the redirect URL does not match the URLs that are specified in the app service - error AADSTS50011.
  • Played a bit with the allowed redirect URLs setting in the app service, no visible difference
  • removed then the AD service identity, cleared the configuration in the app service, created a new identity from scratch (not through the Authentication blade in app service). Made sure that the Application URL and the Redirect URL both point to the public domain. Re-run the test, still the redirect_uri contains the internal URL.

So far we have exhausted all possible ways we could think of.

Here are the specifics of the setup, as it is slightly different from what we find as descriptions in blogs/forums:

  • Public/custom domain (apix.blabla.com) is registered in DNS as CNAME record. It resolves to the public IP of an on-prem load balancer/reverse proxy
  • The internal address is registered in the DNS as record for resolving only internally. It is mapped against the internal IP address of the app service.
  • The balancers re-writes the request URL from public (https://apix.blabla.com/path/to/service/swagger) to the internal address (https://my-app-srvice.ilb.env.blabla.com/swagger). It then forwards the request to it. It seems that thare are no other modications to the request (headers, etc)
  • The request then reaches the app service through an express route.
  • The app service runs on an ASE that is configured with a VNet that is only visible from the on-prem net, hence no public access to it.

Any help on that matter is highly appreciated!

Thanks, Svetoslav

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,684 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla (Personal Account) 391 Reputation points
    2021-01-27T17:00:36.147+00:00

    Hello, below is the problem. Azure AD authentication will build the redirect uri using the request host name. You need to find a way or switch to call the public host name. Additionaly you might try using Azure Frontdoor.

    • The balancers re-writes the request URL from public to the internal address. It then forwards the request to it.

    @MarileeTurscak

    1 person found this answer helpful.