How to get Azure OIDC to respect my redirect URI?

Question

I have an app hosted on Azure PaaS using Open ID Connect for auth.

The app URL is like: https://env.app.entity.my.domain
The Azure ASE is: https://entity-app-env-web.webenvase.my.domain

As long as I configure a redirect URI for https://entity-app-env-web.webenvase.my.domain/signin-oidc in Azure, it works. That's because it's ignoring the redirect URI in my settings. But that's not what I want. I will obviously want to return the user to the app's URL.

No matter what values I put for my RedirectUri or CallbackPath, it defaults to the ASE URL. How can I fix that?

appsettings.json:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Issuer": "https://sts.windows.net/<tenant id>/",
  "Domain": "my.azure.domain",
  "TenantId": "<tenant id>",
  "ClientId": "<client id>",
  "RedirectUri": "https://env.app.entity.my.domain/signin-oidc"
}

Startup.cs (auth config):

services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
services.AddControllersWithViews(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .RequireRole(Role.Administrator)
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
})
.AddMicrosoftIdentityUI();

Why didn't you add `https://env.app.entity.my.domain/signin-oidc` to Azure? — Carl Zhao, Apr 14 '21 at 01:55
@CarlZhao, it's there; doesn't matter. Using the above configuration with the redirect uri configured in Azure, the auth passes `https://entity-app-env-web.webenvase.my.domain/signin-oidc` as the `redirect_uri` query param. — ChiefTwoPencils, Apr 14 '21 at 02:26
You mean that even if `RedirectUri` is configured to `https://env.app.entity.my.domain/signin-oidc` in `Azure portal` and `appsettings.json`. But it will still redirect to `https://entity-app-env-web.webenvase.my.domain` url? — Carl Zhao, Apr 14 '21 at 02:33
This is strange. What if you delete `https://entity-app-env-web.webenvase.my.domain` in Azure and then add `https://env.app.entity.my.domain/signin-oidc`? — Carl Zhao, Apr 14 '21 at 02:37
Yes, it is. I get an error about not having a matching redirect configured in azure. I can post the exact error and message when I return. — ChiefTwoPencils, Apr 14 '21 at 02:51
Is there only one redirect URL `https://env.app.entity.my.domain/signin-oidc` in your Azure currently? — Carl Zhao, Apr 14 '21 at 02:59
And your `appsettings.json` also determines that RedirectUri is configured as `https://env.app.entity.my.domain/signin-oidc`, right? — Carl Zhao, Apr 14 '21 at 03:01
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/231091/discussion-between-chieftwopencils-and-carl-zhao). — ChiefTwoPencils, Apr 14 '21 at 03:03

score 0 · Accepted Answer · answered Apr 29 '21 at 22:37

I found from this answer and elsewhere that the redirect uri is automatically calculated not using the value from the configs. The one in the configs will be used in some cases but not for the auth call to Azure.

After monkeying around with it for some time our server team started removing rules on the f5 and we found that the header rewrite rule that is typical for our other apps was the issue. Specifically, it was causing the auth cookie to be rejected and stripped at the browser during redirection.

We removed the rule and all is well again.

How to get Azure OIDC to respect my redirect URI?

1 Answers1

Linked