question

JamesDumont avatar image
0 Votes"
JamesDumont asked ·

Publish an App Service with Azure AD authentition on Azure Application Gateway

Hello,

I did raise a Microsoft ticket to publish my App Service with Azure AD authentication and the solution proposed was to configure my custom domain on my App Service, this solution works and doesn’t need url rewrite but I’m not comfortable with it.

I would have preferred to keep the public custom domain, certificate and dns staff fully managed on the Application Gateway which could then be managed by a unique Cyber Security team for example. The App Service could then be fully managed by an App team which doesn’t have to take care about the company custom domains, dns and certificate management.

I tried the solution explained here, it consists in using Application Gateway url rewrite, the redirection and the Azure AD authentication works but my app service displays the following error, there is the script I used to publish my App Service with the url rewrite.

The error on the App Service :
Call to HTTP endpoint https://login.windows.net/79b44d42-bab4-49b3-9bbc-cf05592953a0/oauth2/token
failed: 400 (Bad Request). Partial response: {"error":"invalid_client","error_description":"AADSTS500112:
The reply address 'https://dev-myapp1-apiapp1.azurewebsites.net:443/.auth/login/aad/callback'
does not match the reply address 'https://myapp1-api-dev.dld23.com/.auth/login/aad/callback' provided when requesting Authorization code.

Thank you for your help,
Jamesdld


azure-webappsazure-ad-tenantazure-application-gateway
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesDumont avatar image
0 Votes"
JamesDumont answered ·

I everyone,

I just discussed with Dimitri concerning his blog and our use cases are different but I really thank him for his time.
To summarize -->

"For App Service that require Azure App Service built-in authentication and authorization, the solution the solution consists in declaring your custom domain in the App Service and configure the Application Gateway HTTP setting without overriding “with new host name”.

Also please find here "Publish Services with Azure Application Gateway" a blog post that demonstrates how to publish Web Sites with a common script.

Regards,
Jamesdld


10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RohitKumar-4568 avatar image
0 Votes"
RohitKumar-4568 answered ·

Looking at the error message, it seems the configured reply address on App registration on Azure AD is not matching with the address where is response is coming back to. You can configure multiple reply addresses so add both the urls (in the error) to your app registration on Azure AD.

· 5
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JamesDumont,

As stated by @RohitKumar-4568 add your additional URI as redirect to your App Service registration under Azure AD App Registration blade.

30660-image.png


0 Votes 0 ·
image.png (94.2 KiB)

Yes I did it. When not specifying this we can't authenticate to Azure AD.

31154-image.png


0 Votes 0 ·
image.png (244.8 KiB)

The URL in error message has port number as well. I am not sure if it matches the port number as well but may be worth trying by putting port number in your callback url.

0 Votes 0 ·

Nice try and thanks but i'am having the same issue, as illustrated in the following screenshot the authentication works, the last url is blocked at "https://myapp1-api-dev.dld23.com/.auth/login/aad/callback", i bet on a wrong configuration on the url rewrite of the Application Gateway ...:

31421-screenshot-at-oct-10-15-06-47.png


0 Votes 0 ·

I Really appreciate your help, adding below some spec of my conf, if this scenario works for you would you please compare your Application Gateway rewrite rules with mines available here Publish-AzAppServiceOnAppGw.ps1 ?


31417-confall.png


0 Votes 0 ·
confall.png (2.3 MiB)
objectclass avatar image
0 Votes"
objectclass answered ·

Hi @JamesDumont , just curious if you got this to work?

Any tips in addition to the guide mentioned (https://blog.gaikovoi.dev/2020/04/azure-application-gateway-http-headers.html) to make it work?


Thanks!

10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WijayaAndreas-5169 avatar image
0 Votes"
WijayaAndreas-5169 answered ·

I am having the same issue. Would love to know if this can be solved.

I read here it might be something to do witb client secret

https://stackoverflow.com/questions/47789655/azure-web-app-easyauth-callback-throws-error

But i will have to check tomorrow with the infra team to compare.

· 1
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Nope not working either.

0 Votes 0 ·
Perttu-6608 avatar image
0 Votes"
Perttu-6608 answered ·

Hi,

I think I ran into this issue today with my application trying to authenticate against AAD using OIDC.

Here is what happens in my case:
1. My app redirects the user to AAD, providing a redirect URI HTTPS://my.domain:443/app
2. User authenticates and is redirected back with authorization code, all good so far
3. The app calls AAD token endpoint, providing the code and the same redirect URI
4. AAD refuses the call with error AADSTS500112: The reply address 'HTTPS://my.domain:443/app' does not match the reply address 'HTTPS://my.domain/app' provided when requesting Authorization code.

If I manually call the token endpoint, removing the port number from the redirect URI, it works.

So it seems to me AAD modifies the stored redirect URI between the authentication and token steps, removing the port number 443 from it.

This is clearly not desired behavior, as the port number is part of the redirect URI.




10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Alexandre-GIRAUD avatar image
0 Votes"
Alexandre-GIRAUD answered ·

Hi all,

Sorry to dig up this thread who have some month ago, but I'm facing a similar issue and need to get more information about each experiences that you had.
I'm totally understanding the rewrite point with Azure Application Gateway for callback and redirect_uri, and it's working fine, but in a specific case only.

I didn't see, except error of myself, someone talking about Custom domain and SSL bindings on webapp. So I mean, that this works perfectly if on azure webapp, we add a custom DNS (jusrt awverify is enough) and SSL binding. If we don't add this on webapp, I'm always have a 500.74 where 2nd request on callback URI.

Like our goals is not to have custom bindings (SSL + DNS) on all backend azure webapp, only get a single certificates on Application Gateway and use only *.azurewebsites.net for backend. Is it a possible configuration ? or configuring backend is mandatory ?

Thanks for sharing, at disposal if need
Regards,
Alexandre

10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.