[英]ASP.NET Core app with Azure AD authentication behind a reverse proxy is setting the wrong redirect_uri
I've been banging my head on this for a while.我一直在敲我的头一段时间。 I have an ASP.NET Core 3.1 web app running on an Azure App Service.
我有一个在 Azure 应用服务上运行的 ASP.NET Core 3.1 Web 应用。 The web app has Azure AD authentication setup, with forwarded headers.
Web 应用程序具有 Azure AD 身份验证设置和转发标头。 Here's the
ConfigureService
:这是
ConfigureService
:
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});
services
.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options =>
{
Configuration.Bind("AzureAd", options);
});
And here's the Configure
:这是
Configure
:
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseForwardedHeaders();
}
else
{
app.UseExceptionHandler("/Error");
app.UseForwardedHeaders();
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseSpaStaticFiles();
app.UseRouting();
app.UseCors(Configuration["AllowedHosts"]);
app.UseAuthentication();
app.UseAuthorization();
I'm using an Azure Application Gateway as a reverse proxy.我使用 Azure 应用程序网关作为反向代理。 Problem occurs in the authentication flow.
认证流程出现问题。 Once authenticated, the redirect_uri provided in the URL is the
*.azurewebsites.net
address and not the one I configured in the App Gateway *.mydomain.com
.通过身份验证后,URL 中提供的 redirect_uri 是
*.azurewebsites.net
地址,而不是我在 App Gateway *.mydomain.com
配置的地址。 Further investigation reveals the following headers are provided to the App Service in a request:进一步调查显示,在请求中向应用服务提供了以下标头:
X-FORWARDED-PROTO: https
X-FORWARDED-PORT: 443
X-Forwarded-For: ***IP ADDR OF APP GATEWAY***
X-Original-URL: ***
X-ORIGINAL-HOST: *.mydomain.com
X-ARR-SSL: 2048|256|C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5|CN=*.azurewebsites.net
X-AppService-Proto: https
X-Forwarded-TlsVersion: 1.2
What else do I need to tell my backend app to use the forwarded headers (in my case, X-ORIGINAL-HOST seems to be the only one containing the actual requesting host)?我还需要告诉我的后端应用程序使用转发的标头(在我的情况下,X-ORIGINAL-HOST 似乎是唯一包含实际请求主机的标头)? This seems like a pretty straight forward use case.
这似乎是一个非常直接的用例。 Thanks in advance for the help.
在此先感谢您的帮助。
In your HTTP Settings under Hostname settings, mention *.domain.com.在主机名设置下的 HTTP 设置中,提及 *.domain.com。 If youmake that change, make sure you have configured the Backend with the custom domain.
如果您进行了更改,请确保您已使用自定义域配置后端。
Regards, Msrini问候, 姆斯里尼
I just ran into this.我刚遇到这个。 Make sure to include
XForwardedHost
in your options configuration, or just include ForwardedHeaders.All
like this:确保在您的选项配置中包含
XForwardedHost
,或者只包含ForwardedHeaders.All
像这样:
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.All;
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.