[英]How do you change the MSAL Reply URL when the Azure APP Service is behind a reverse proxy like NGINX?
我將跳過通常的關於花費時間、挫折、MS 愚蠢等的咆哮。
我試圖盡可能完整
我們有 5 個 Azure 應用服務、3 個 aspdotnet core 5.0 和 2 個 Blazor 服務器應用,我們正在使用 Azure AD B2B。
我們讓前兩個或三個在 Front Door 上工作,然后發現它不支持 SignalR (websockets)。 等等,我答應過不吐槽的。
我們切換到 NGINX。
下面是基本配置(全是https)。 它很冗長,我在寫這篇文章時檢查了每一個,希望能找到一個錯誤。
我們需要它像這樣工作
AD 中的重定向 URI、應用程序配置覆蓋和 appsettings.config 設置為
我當前的 NGNIX 配置是
server_name domain.com
listen 80;
listen [::]:80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/mycert.cert;
ssl_certificate_key /etc/nginx/ssl/mycert.prv;
location /app2 {
proxy_pass https://app2.azurewebsites.net/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header X-Real-Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass https://app1.azurewebsites.net/;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
應用服務都有這個代碼。
public void ConfigureServices(IServiceCollection services)
{
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto |
ForwardedHeaders.XForwardedHost;
});```
When I try domain.com in the browser I get this error
**AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '{ClientId Guid}'.**
When I inspect the request it looks like this
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={ClientId Guid}&redirect_uri=https://app1.azurewebsites.net/signin-oidc ...
This is true for all of the apps
I am at a loss as how to solve this. MS support was no help even in a made up non-NGINX scenario.
I hired a NGINX "expert" who got nowhere.
I have a call scheduled EOW with OKTA, who "believe" they have a solution.
None of this is optimal and has wrecked hours of CI/CD work.
Has anyone made this work? If so how?
TIA
G
我相信這是一種解決方法,但您是否嘗試將 AD 的重定向 URI 更改為 *.azurewebsites.net 而不是 domain.com/appN/signin-oidc?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.