Angularjs http request to external Azure App Api fails from Azure Web App with "https", but works when url is http. Authentication is turned on in Web App, but requires no action if not authenticated. What am I missing?
Your issue is about Same Origin Policy, on which you can find detials on this SO answer.
To make long story short, you can't call a less secure resource than the page you are on (in your case making an AJAX request from an HTTPS page down to an HTTP resource).
#bsoulier lead me to the culprit. It was the Same Origin Policy, mistmatched protocol (web api url needed to be "https" as well) that was causing the problem.
Related
We are using Azure Web App Easy Auth, and use the Web App as a reverse proxy which forwards traffic to an angular app.
The angular app uses /.auth/me and uses the token and pass it to a REST API. However, if user is idle for a long time, seems that the /.auth/me session times out and we can't get it anymore.
However, the web app doesn't redirect anymore to the MS Login page (as it does when we enter the URL at first time).
Is there a proper way to handle it?
Thank you
Edit:
For example, we are calling this using httpGet in Angular
https://myreverseproxy-dev-asse-web-d.azurewebsites.net/.auth/me
This returns JSON with the auth token.
But after a few hours that user is idle, seem it returns blank []. Probably because the session is timed out or the authentication for this endpoint has a timeout.
You have to give the redirect URL by registering your Azure Web App in App Registrations Service:
If it is already registered in App Registrations, then your app service from Azure Portal > Type "App Registrations" in Main search > Select your registered App Service > Select "Authentication" Where you configure the redirect URI:
Refer to this MS Doc1 for Redirect URI Limits & restrictions and Doc2 for configuring the CallbackPath, SignedOutCallbackPath in the code like appsettngs.json if the language is ASP .NET Core, web.config for ASP .NET, application.properties for Java, etc.
I have an existing Azure Function App configured with App Service Auth using AAD.
By directly accessing the App Service website xxx.azurewebsites.net/xxx I am prompted to login, and on logging in redirect back the xxx.azurewebsites.net page.
However, with the same function app accessed via an APIM endpoint, I load the site xxx.azure-api.net/xxx, get prompted to login, and then get redirected back to the azurewebsites.net page rather than the azure-api.net one.
Is there any way to configure this redirection? I have set the Redirect URIs in the App Registrations 'Authentication' blade, however this has made no difference.
Additional information:
In the initial 401 response I can see the original URL in the headers
WWW-Authenticate Bearer realm="xxx.azurewebsites.net/xxx" ...
No, we can't set the request to redirect to azure-api.net after login.
What we need to know is if we use AD to protect the function app, it will redirect to login page when we request the function url. And after login, it will redirect back to function url and continue to do the request.
When you use APIM to access the function, the APIM is just as an interface. So it's same with the steps above after you request the APIM api to access the function. So it will not redirect to azure-api.net, it is by design.
I'm currently running a windows azure web app behind an application gateway v2.
I would like to use header information for x-forwarded-host or x-original-host - but it does not work.
Now I'd like to trace what request headers are actually received by the web app. I'm trying network-capturing. But as the whole traffic is HTTPs - I guess I'm not seeing all the fields.
Any Idea?
You can configure application gateway to modify request and response headers and URL by using Rewrite HTTP headers and URL or to modify the URI path by using a path-override setting. However, unless configured to do so, all incoming requests are proxied to the backend.
For more details, you can read the offical document.
I'm having a problem with my React / ASP.net core web API app and authentication with Azure AD.
The first time I log in it's all fine. Then if I sign out, I get presented with the Microsoft hosted "You have been signed out. Return to the website" page, which has a link back to the site.
If I then click on that link then the app hangs when it tries to authenticate, and I'm getting CORS errors in my Chrome browser console:
Access to fetch at
'https://login.windows.net/XXXXX/oauth2/authorize?response_type=id_token&redirect_uri=
(etc)' (redirected from
'https://uat.xxxxx.com/coreservice/api/foo?page=1&pageSize=25') from
origin 'https://uat.xxxxx.com' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. If an opaque response serves your needs, set the request's
mode to 'no-cors' to fetch the resource with CORS disabled.
Extra info:
As an experiment I hosted a link to the site from elsewhere on the web and I get the same problematic behaviour if I click on that link.
If I hard refresh the page at this point, then it all works fine - I'm presented with the MS Azure login page as expected.
Any help would be gratefully received!
Not sure if you are using the Azure Web Apps to host your application, but the issue I had was that I was using the App Service Authentication setting under Authentication/Authorization in the Azure Portal. This setting was pointing to the Azure AD instance. But I also was using React-ADAL npm package wrapped around my application so it was causing conflicting issues since they were both using the same instance of Azure AD.
I turned off the App Service Authentication setting in the Azure portal and everything worked from there.
This setting does work as I have used it with other applications and simple web apps but I realized that the Azure App Auth setting was conflicting with the React-ADAL npm package.
Hope this helps.
I host a React & ASP.NET Core web app in an Azure App Service. I'm encountering an isolated and bizarre (to me anyway!) issue relating to the post-login process in my application.
We use Okta for authentication and the login process looks like this:
User navigates to our website
On page load when not logged in, authorize attribute redirects to the '/api/auth/login' controller action
'/api/auth/login' invokes challenge and redirects to Okta
User logs in to Okta and is redirected back to callback URL specified in OpenID connect middleware
Web app redirects back to '/api/auth/login' to check if user is authenticated then redirects to '/' to render home page
In chrome, in azure and over https only step 5 above does not redirect to '/' and instead the call to '/api/auth/login' is returning a 200. Nowhere in my controller action do I return a 200 here. This works locally when using chrome and HTTPs so it seems to be isolated to my Azure environment.
Chrome request/response dumps of HTTP vs HTTPS in Azure are below. The HTTP response is what I'm expecting, I've got no idea where the HTTPS response is coming from.
HTTP with expected response from '/api/auth/login' call:
HTTPS with unexpected response:
Any suggestions would be greatly appreciated!
The scaffolding framework we used for our react application was registering a service worker which was returning this 200.