How do you change the MSAL Reply URL when the Azure APP Service is behind a reverse proxy like NGINX?

Question

I will skip the usual rant on time spent, frustration, MS is stupid, etc.

I have tried to be as complete as possible

We have 5 Azure App Services, 3 aspdotnet core 5.0 and 2 Blazor Server apps we are using Azure AD B2B.

We had the first two or three working on Front Door and then discovered it does not support SignalR (websockets). Wait, I promised not to rant.

We switched to NGINX.

Below is the basic configuration (all https). It is verbose and I checked each one as I wrote this, hoping to find an error.

• app1.azurewebsites.net
• app2.azurewebsites.net
• app3.azurewebsites.net
• app4.azurewebsites.net
• app5.azurewebsites.net

We need it to work like this

• domain.com/ - app1
• domain.com/app2
• domain.com/app3
• domain.com/app4
• domain.com/app5

The Redirect URIs in AD, the application configuration overrides, and appsettings.config are set to

• domain.com/signin-oidc
• domain.com/app2/signin-oidc
• domain.com/app3/signin-oidc
• domain.com/app4/signin-oidc
• domain.com/app5/signin-oidc

My current NGNIX config is

   server_name domain.com
   listen 80;
   listen [::]:80;

   listen 443 ssl;

   ssl_certificate /etc/nginx/ssl/mycert.cert;
   ssl_certificate_key /etc/nginx/ssl/mycert.prv;

    location /app2 {
      proxy_pass https://app2.azurewebsites.net/;
       proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   X-Real-Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
    location / {
      proxy_pass https://app1.azurewebsites.net/;
      proxy_redirect          off;
      proxy_set_header        X-Forwarded-Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
   }
}

The app service all have this code.

public void ConfigureServices(IServiceCollection services)
        {

           services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders =
                    ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto | 
             ForwardedHeaders.XForwardedHost;

            });```

When I try domain.com in the browser I get this error


**AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '{ClientId Guid}'.**

When I inspect the request it looks like this

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={ClientId Guid}&redirect_uri=https://app1.azurewebsites.net/signin-oidc ...

This is true for all of the apps

I am at a loss as how to solve this. MS support was no help even in a made up non-NGINX scenario.

I hired a NGINX "expert" who got nowhere.

I have a call scheduled EOW with OKTA, who "believe" they have a solution.

None of this is optimal and has wrecked hours of CI/CD work.

Has anyone made this work? If so how?

TIA

G

Answer 1

I believe this is a workaround but have you tried to change the AD's Redirect URIs to *.azurewebsites.net instead of domain.com/appN/signin-oidc?