I have a .NET Core 3.1, Linux Hosted Azure App Service, which uses AAD Authentication and IP Restriction rules configured and working, however when I put it behind an Application Proxy in AAD, the requests to the service don't include X-Forwarded-Host or X-Original-Host headers. The resulting action is that when a user browses to the site through the Proxy URL, the OIDC authentication kicks in and redirects to AAD Login. The redirect_uri in the login page contains the internal host name, not the Proxy's host name. When the user logs in, they are redirected to the internal host and can't proceed to use the system (unless they're coming from an IP that is valid). The Proxy IPs are on the allow list for the service.
I have enabled the Forwarding Middleware and got it to set the host based on the headers when they're passed in, which works perfectly, however this only works if the Proxy were to pass the header on to the service. When I browse to the Proxy URL and forcibly append the X-Original-Host header, the application and redirects behave as expected.
From what I can see, the only option is to lookup the IP address from the X-Forwarded-For header that does get passed through, map that to a host name at runtime and append that host to the Request object. This feels very hacky for what should be a fairly standard behaviour of a proxy.