Search code examples
c#azureasp.net-coreazure-active-directoryopenid

Azure AD /signin-oidc 404 - NGINX reverse proxy with .NET Core 2.0

I have a .NET Core 2.0 application running in a Kubernetes cluster with Linux containers. In front of the application I have an Nginx reverse proxy that is set up with LetsEncrypt, SSL termination, and forwarding http to the app.

My app successfully authenticates and redirects locally (without reverse proxy) and is based on the sample form here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore

When deployed, this setup initially caused issues with the app attempting to authenticate users by switching from https://my.domain.cloudapp.azure.com to http://my.domain.cloudapp.azure.com. As a result my reply URL (https://my.domain.cloudapp.azure.com/signin-oidc) was not being used and I received an error.

I was able to fix this with information from here and here and specifically I added:

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});

app.Use(async (context, next) =>
{
    if (context.Request.Host.Host.ToLower() != "localhost")
      context.Request.Scheme = "https";
    await next.Invoke();
});

Now when I go to https://my.domain.cloudapp.azure.com I'm redirected properly to https://login.microsoftonline.com/. After authenticating I'm redirected back to my app at https://my.domain.cloudapp.azure.com but the OpenID Connect authentication middleware does not seem to be handling the /signin-oidc route. I instead receive a 404 error.

Does anyone know what I'm doing wrong?

Solution

  • I ended up having two problems that were causing this issue. First, I had multiple pods serving my app in Kubernetes and so I needed to persist the encryption/decryption keys for the cookies to a central location.

    The second issue was that the reverse proxy was rewriting the reply url. My project changed a little since my original post and I switched to OAuth2 Proxy so I'm not sure the exact scenario for Nginx in my original post. However, for Oauth2 Proxy I had to add "https://my.domain.cloudapp.azure.com/oauth2/callback" as a reply url in my app registration.