I'm trying to use App Service with standard App Registration built-in authentication behind a Front Door with no success.
My setup is:
An App Service "myapp.azurewebsites.com" with built-in authentication.
App Registration "app-auth" as auth provider.
I have "app-auth" configured in my App Service for automatic authentication via Provider.
Front Door "frontdoor.example.com" forwards requests to my App Service.
My App Registration "app-auth" has a redirect URL assigned the Front Door public name example "frontdoor.example.com".
Problems I'm having:
App Service keeps sending it's own name "myapp.azurewebsites.com" as request_uri query string login in to Azure Active Directory. It must send the Front Door URL.
Setting up "frontdoor.example.com" host header in Front Door fails, as it requires it to match the App Service name.
Am I missing some configuration? Or, do I need to use custom authentication when behind a Front Door?
In order for this to work, you need to add the custom domain (frontdoor.example.com) also to your app service. This can be done using DNS verification.
Go to your App Service
Go to Custom Domains
Copy the Custom Domain Verification ID
Add a new DNS TXT record with the copied value: TXT asuid.frontdoor.example.com. <verification id>
To ensure Front Door forwards the request Host Header, the Origin host header field in your Origin configuration must be blank.
Then, when Front Door forwards the request Host Header (Host: frontdoor.example.com) the App Service will recognize it and the Azure AD authentication will use it as for redirection.
it seems you have misconfigured the redirect URI in your APP service registration in Azure AD, that is where you specify the redirect_URI, it has nothing to do with the app service or the front door itself.
Instead of inbuilt Azure AD authentication in Azure App service i used custom Azure AD authentication in my dotnet core app by following this stackoverflow answer:
Authentication with Azure AD redirect_uri is incorrect using FrontDoor
I wrote an article on the same refer it here:
https://www.lkgforit.com/2022/10/how-to-setup-azure-front-door-for.html
Related
I have a request to register an application in my Azure tenant.
The request includes info on the App Domain and Redirect URL.
After registering the app, I gave the app name, app id, and client secret to the requestor.
He came back and said that he can see the redirect URL when he looked up the app ID but the App Domain field is still blank.
I do not see this field option when registering an application. Does anyone know where this is located or how it is configured?
You can add a custom domain in azure ad under the custom domains tab in the portal.
Just the click on the add custom domain can fill the subsequent form.
Refer the following documentation on custom domains.
We were trying to enable AppGateway on one of our WebApplication hosted on AppService which use OpenIDConnect to Auth the request against Azure AD using Code with PKCE flow.
Since our *.azurewebsite.net url is going to be private, we had to update the "Redirect URI" in AAD and in the Web.config to rout the request back to AppGateway after Authentication and then with the Authenticated Payload the request should hit the Backend Pool which has the AppService.
But, every time we try this configuration we ended up being in an Endless Loop between
AppGateway --> AppService(BackendPool) --> Authentication page --> AppGateWay -->...
• You are encountering the endless loop when setting up the application gateway in front of your app service because the reply URLs set for the app service on the application gateway may not be correctly configured due to which even after redirecting to the configured reply URLs, you are not able to go to the set app service page after authentication. For this purpose, kindly go to the ‘Authentication/Authorization’ blade on your app service, click on the “Azure Active Directory” option. In there, click on “Manage Application”. This will take you to the Azure Active Directory configuration. In that, select the ‘Express’ mode, and select the option for ‘Manage Application’, and in that select “Reply URLs” in the “Settings” blade. This will open the various reply URLs that the application is able to use to send an authenticated user back to your application.
• If you configured your custom domain before setting up Azure Active Directory authentication, both your ‘*.azurewebsites.net’ and custom domain URLs should be configured for the reply URLs. If your custom domain is not there, be sure to set up the reply URL as ‘https:///.auth/login/aad/callback’. Once the said has been set up correctly as specified, you should be able to authenticate using either the custom domain or the *.azurewebsites.net hostname to ensure you can sign in.
• Ensure that you change your custom domain from pointing to the App Service to pointing to the Application Gateway's public IP or DNS name. This change is made in your DNS registrar.
Finally, I would suggest you to please refer and go through these below documentation links for more details on configuring the app service for custom DNS/default domain and AAD authentication: -
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app?tabs=customdomain%2Cazure-portal#configure-a-web-app-behind-an-existing-application-gateway
https://learn.microsoft.com/en-us/archive/blogs/waws/setting-up-application-gateway-with-an-app-service-that-uses-azure-active-directory-authentication#setting-up-the-application-gateway
I've registered an app in Azure AD and can successfully authenticate users against it while running on localhost.
The Azure AD app's Redirect URI is set to https://localhost:44352/sigin-oidc and the Logout URI is https://localhost:44352/signout-oidc
If I deploy my MVC app to Azure the host name will be different from "localhost". Do I have to register another app for deployment or just add a second redirect URI? But what about the logout URL then - only one can be configured there?
Second redirect URI. Here are some pointer on restrictions on redirect URIs.
Logout URI is only relevant to your application. Not the application registration.
If you are referring to the post_logout_redirect_uri, as described here - it must registered in the redirect_uris as well:
Or if you consider the logoutUrl as described in the Manifest - that is only used when you perform a Single-sign-out of all web apps, as described here. Frankly, there are very few reasons to use the single sign out capability of Azure AD. And, it requires of course that all apps are configured for single sign out.
We want to use the AAP to communicate from an Azure App to an on premise application. We want to the App to authenticate and call the Proxy Api and not delegate the user. Right now, we are able to get an token for the Resource of the Proxy Api and call the api from the application, but we get an error page (imho from the proxy api) saying "This corporate app can't be accessed right now.", with StatusCode: InternalServerError.
Calling the proxy url from an browser and Azure Authentication enabled on the proxy, and with an Azure Account logged in that browser, it works.
Calling the proxy url from an browser with Passthrough on the proxy, anonymously, it works.
Calling the proxy url from an browser with Azure Authentication on the proxy, anonymously, it return access denied.
Calling the proxy url from an Web Api hosted on Azure with a token requested on the Proxy resources and with Azure Authentication on the proxy, it fails with InternalServerError.
Is the AAP only working for use with Users and not Applications? I suspect this because in the documentation has this quote:
The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token, then directs the request to the Application Proxy connector.
It is intended to give users access to your on-premises applications, not applications.
The user is authenticated through Azure AD and given access to the on-premises application. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
I am registering an app with Azure, so that I can automate deployments with Ansible. Ansible is not a Web App (but a simple command line tool), but on an app registration it asks to fill in a mandatory field Sign-on URL. The description it gives is The URL where user can sign in and use your app. But once again, there is no URL and no Web App.
I could not find another way to register an app and it seems that this is the recommended way from the Ansible side. Ansible docs on Azure are linking to App registration in Azure.
So for now, I have entered a random URL there, but if it is not needed, then why Microsoft are enforcing it on us?
The reason this is a required field during app registration is that during the vast majority of cases, the app in question is actually an app that people associate with a URL and can sign in to.
If you don't need the Sign-on URL, then you can put whatever value you'd like. I recommend a unique URL that is unlikely to collide with other people's apps or other apps in your organization.
You can also always do the app registration programmatically (since it look like scripting is your scenario anyway), using Azure AD PowerShell's New-AzureADApplication (followed by New-AzureADServicePrincipal).
Sign-On URL: For "Web app / API" applications, provide the base URL of your app. For example, http://localhost:31544 might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application.
That's because you register an web app/API. The type of application register will add to the access panel and the users could login the app through access panel via the Sign-on URL you config it when you register the app.
As Gaurav Mantri suggested, if you were not developing web app you should register an native app instead of web app.
More info about Azure app register, you can refer the document below:
Integrating applications with Azure Active Directory
Register your client application with Azure AD