We were trying to enable AppGateway on one of our WebApplication hosted on AppService which use OpenIDConnect to Auth the request against Azure AD using Code with PKCE flow.
Since our *.azurewebsite.net url is going to be private, we had to update the "Redirect URI" in AAD and in the Web.config to rout the request back to AppGateway after Authentication and then with the Authenticated Payload the request should hit the Backend Pool which has the AppService.
But, every time we try this configuration we ended up being in an Endless Loop between
AppGateway --> AppService(BackendPool) --> Authentication page --> AppGateWay -->...
• You are encountering the endless loop when setting up the application gateway in front of your app service because the reply URLs set for the app service on the application gateway may not be correctly configured due to which even after redirecting to the configured reply URLs, you are not able to go to the set app service page after authentication. For this purpose, kindly go to the ‘Authentication/Authorization’ blade on your app service, click on the “Azure Active Directory” option. In there, click on “Manage Application”. This will take you to the Azure Active Directory configuration. In that, select the ‘Express’ mode, and select the option for ‘Manage Application’, and in that select “Reply URLs” in the “Settings” blade. This will open the various reply URLs that the application is able to use to send an authenticated user back to your application.
• If you configured your custom domain before setting up Azure Active Directory authentication, both your ‘*.azurewebsites.net’ and custom domain URLs should be configured for the reply URLs. If your custom domain is not there, be sure to set up the reply URL as ‘https:///.auth/login/aad/callback’. Once the said has been set up correctly as specified, you should be able to authenticate using either the custom domain or the *.azurewebsites.net hostname to ensure you can sign in.
• Ensure that you change your custom domain from pointing to the App Service to pointing to the Application Gateway's public IP or DNS name. This change is made in your DNS registrar.
Finally, I would suggest you to please refer and go through these below documentation links for more details on configuring the app service for custom DNS/default domain and AAD authentication: -
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app?tabs=customdomain%2Cazure-portal#configure-a-web-app-behind-an-existing-application-gateway
https://learn.microsoft.com/en-us/archive/blogs/waws/setting-up-application-gateway-with-an-app-service-that-uses-azure-active-directory-authentication#setting-up-the-application-gateway
Related
I have a request to register an application in my Azure tenant.
The request includes info on the App Domain and Redirect URL.
After registering the app, I gave the app name, app id, and client secret to the requestor.
He came back and said that he can see the redirect URL when he looked up the app ID but the App Domain field is still blank.
I do not see this field option when registering an application. Does anyone know where this is located or how it is configured?
You can add a custom domain in azure ad under the custom domains tab in the portal.
Just the click on the add custom domain can fill the subsequent form.
Refer the following documentation on custom domains.
I'm writing an app which will allow me to get specific data from outlook/exchange using the EWS on behalf of a slack/outlook/exchange user. to authenticate via Microsoft’s oauth flow I created a azure a client_id and would like to initiate the oauth flow for m265 from the apps Home Screen. In order to create the client I’d I also need to provide a redirect url within azure ad.
Where can I find documentation on how to best use external oauth flows? (This is not about installing/authorizing the app within slack).
I’d like to add a "connect to outlook" button on my apps home page after installing from which to start the flow.
Shall I call the Microsoft login (oauth) url directly or should I first link to my apps web server?
When calling the microsoft login I need to provide a redirect url (which needs to match the one in azure ad) to which the authorization codes gets returned.
For some apps (e.g. outlook calendar for slack) this seems be a slack url.
servicenow seems to use something like…
https://slack.com/interop-apps/servicenow/snow_oauth_redirect
Is there a way to define such an url for my app within slack?
How will the authorization code be handed over to my app (I assume to the Request url I defined for my app…?
Thank you for time and consideration..
• I am considering here that you are providing authentication for your application through Azure AD, thus, to configure redirect URIs after authorization code or token is received post successful authentication, please refer the below documentation on redirect URIs. It specifies in detail the configuration restrictions that should be followed while configuring a redirect URL in Azure AD: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
Similarly, to configure a redirect URL for an application in Slack, please check the callback URL settings configured because it is required while redirect URL is an optional thing. Also, Slack will redirect the users to the callback URL itself configured in app settings if redirect URL is absent. And if provided, the redirect URL's host and port must exactly match the callback URL. The redirect URL's path must reference a subdirectory of the callback URL. Please follow the below link for more information: -
https://api.slack.com/legacy/oauth
In the above URL, go to ‘Using access tokens’ and ‘Redirect URLs’ section for exact information.
• And as far as calling the Microsoft login (OAuth)URL directly or linking it to your app’s web server, I would suggest you provision your Azure AD users in Slack by following the below documentation link or configure SSO with Slack by adding it in Enterprise Applications in Azure AD from application gallery and then configure the API permissions required for accessing the data from Exchange through EWS. In this way, proper configuration and redirection can be achieved for the users which are allowed to access the specific data from Exchange.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/slack-tutorial
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/slack-provisioning-tutorial
I am hosting Sonarqube on windows VM with IIS and reverse proxy configured to support SSL certificate.
All works for basic (user/password) authentication but I got problem making Azure AD authentication work
I followed instructions to setup Azure AD integration. I have configured Azure AD integration, provided correct Client ID, new Secret, correct tenant ID, Base server url is correct no ending "/".
Despite all steps executed properly Azure AD authentication doesn't work: when I click on button to logon using Microsoft login page sends requests and I am redirected back to logon page
I use Sonarqube 8.0.0.29455 with plugin Azure AD Authentication version 1.2.0
Please check with below points:
The redirect URL should be configured with a correct URL,
e.g. https:// sonarqube.example.com/oauth2/callback/aad. Here /oauth2/callback/aad is a must in addition to the application URL. The redirect URL must have a https or loopback address, else the Azure AD login will not work.
For example, if your main URL is "https://sonarqube.example.com", you would enter "https://sonarqube.example.com/oauth2/callback/aad"
Set the required permissions in portal and grant consent if required
i) Sign in and read user profile
ii) Read all users’ basic profiles
Check the rewrite rule when Running SonarQube behind an IIS Reversed Proxy | Microsoft Docs
Make sure you aren’t behind a firewall .
Try upgrading sonarqube
Restart everything after any changes made.
References:
Setup · hkamel/sonar-auth-aad Wiki (github.com)
Azure AD integration with sonarqube - Stack Overflow
I'm trying to use App Service with standard App Registration built-in authentication behind a Front Door with no success.
My setup is:
An App Service "myapp.azurewebsites.com" with built-in authentication.
App Registration "app-auth" as auth provider.
I have "app-auth" configured in my App Service for automatic authentication via Provider.
Front Door "frontdoor.example.com" forwards requests to my App Service.
My App Registration "app-auth" has a redirect URL assigned the Front Door public name example "frontdoor.example.com".
Problems I'm having:
App Service keeps sending it's own name "myapp.azurewebsites.com" as request_uri query string login in to Azure Active Directory. It must send the Front Door URL.
Setting up "frontdoor.example.com" host header in Front Door fails, as it requires it to match the App Service name.
Am I missing some configuration? Or, do I need to use custom authentication when behind a Front Door?
In order for this to work, you need to add the custom domain (frontdoor.example.com) also to your app service. This can be done using DNS verification.
Go to your App Service
Go to Custom Domains
Copy the Custom Domain Verification ID
Add a new DNS TXT record with the copied value: TXT asuid.frontdoor.example.com. <verification id>
To ensure Front Door forwards the request Host Header, the Origin host header field in your Origin configuration must be blank.
Then, when Front Door forwards the request Host Header (Host: frontdoor.example.com) the App Service will recognize it and the Azure AD authentication will use it as for redirection.
it seems you have misconfigured the redirect URI in your APP service registration in Azure AD, that is where you specify the redirect_URI, it has nothing to do with the app service or the front door itself.
Instead of inbuilt Azure AD authentication in Azure App service i used custom Azure AD authentication in my dotnet core app by following this stackoverflow answer:
Authentication with Azure AD redirect_uri is incorrect using FrontDoor
I wrote an article on the same refer it here:
https://www.lkgforit.com/2022/10/how-to-setup-azure-front-door-for.html
I've registered an app in Azure AD and can successfully authenticate users against it while running on localhost.
The Azure AD app's Redirect URI is set to https://localhost:44352/sigin-oidc and the Logout URI is https://localhost:44352/signout-oidc
If I deploy my MVC app to Azure the host name will be different from "localhost". Do I have to register another app for deployment or just add a second redirect URI? But what about the logout URL then - only one can be configured there?
Second redirect URI. Here are some pointer on restrictions on redirect URIs.
Logout URI is only relevant to your application. Not the application registration.
If you are referring to the post_logout_redirect_uri, as described here - it must registered in the redirect_uris as well:
Or if you consider the logoutUrl as described in the Manifest - that is only used when you perform a Single-sign-out of all web apps, as described here. Frankly, there are very few reasons to use the single sign out capability of Azure AD. And, it requires of course that all apps are configured for single sign out.