AAD B2C: Work with Azure Front Door

Question

I have configured the Azure front door to work with the app service. Then I added the AAD B2C login by using the custom policy. The AAD B2C doesn't work with Azure front door because the return uri still points to the app service as the following:

https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/b2c_1a_signin_only/oauth2/v2.0/authorize?client_id=c1f576c3-d0da-4752-b925-78fc186a29e5&redirect_uri=https%3A%2F%2F<app-name>.azurewebsites.net%2FManagement%2F&response_type=......

instead of the azure front door address <Front Door host>.azurefd.net or our custom domain which directs to <Front Door Host>.azurefd.net.

I have added the <Front Door host>.azurefd.net and custom domain as the redirect URIs under the authentication for the app registration on AAD B2C.

I have also tried with blanking out the Backend host header in Backend pools. The return uri still points to the app service which is blocked out form direct access.

How to make AAD B2C to return to Azure front door instead of app service?

Answer 1

A similar issue was reported to the B2C team.

One resolution was to remove the default host header in Azure Front Door backend pool. If your requests have x-forwarded-for headers, you can try disabling that with:

options.ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;

For the full troubleshooting, see: https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers

And: https://github.com/AzureAD/microsoft-identity-web/issues/1076