Azure CDN 阻止存储帐户 Static 使用 Active Directory 进行站点身份验证

Question

I currently have an Azure Blob Storage Account setup with Azure CDN to host a Static Site. This Static Site is connected to an App Service backend and uses frontend-based authentication using Active Directory baked into the application code with MSAL .

When it was initially deployed and running off of the Static Site's URL alone, I was able to authenticate without fail. The auth popup would present itself, I would provide credentials, and the Active Directory sent back a token that I then confirmed with the backend and successfully redirected to the post-auth landing page.

The Problem I'm having now is that when I proceed to the URL provided by the Azure CDN (rather than the Storage Site's URL), the popup for authentication opens and allows me to provide credentials, but instead of closing and redirecting upon token reception, the popup simply hangs there. It's also interesting to note that the popup's URL is listed as the Static Site URL and not the CDN URL. The token comes back and is present in later portions of the URL, so it must be a mis-match between the URLs that's causing the issue.

I've Tried changing out the Static Site's configured Reply URLs to match the CDN, and it didn't make a difference. I've also added the CDN URLs (both the custom one and the endpoint .azureedge.net one) to the Active Directory list of Reply URLs.

The CDN is providing a certificate for the custom URLs to use, so we need that in order for the custom URLs to work properly. To be clear as well, the authentication works when using the Static Site URL, but not the CDN URL.

Has anyone else run into an issue of this nature? If so, have you solved it?

Answer 1

For anyone who may come across this, the solution was much more simple than I had anticipated. The MSAL configs for the frontend needed to be using the new CDN URL (which I figured), but the CDN itself needed to be purged and the changes picked up from the Blob storage.