I have a Java webapp running on Tomcat deployed to Azure App Service. The authentication is handled via Azure AD. Everything seems to working fine in Local environment.
When we deploy the app to Azure, the httpRequest.getScheme() always return HTTP irrespective if the call is made from HTTPS endpoint.
As a result the redirect URL is constructed with HTTP endpoint and doesn't match the redirect URL specified in the Azure AD App Registrations. The redirectUrl is constructed as follows.
String currentUri = httpRequest.getRequestURL().toString();
String redirectUrl = authority + tenant +
"/oauth2/authorize? response_type=code&scope=user.read.all&response_mode=form_post&redirect_uri="
+ URLEncoder.encode(currentUri, "UTF-8") + "&client_id=" + clientId +
"&resource=https%3a%2f%2fgraph.microsoft.com" + "&state=" + state + "&nonce="
+ nonce;
I have searched and found this- https://creechy.wordpress.com/2011/08/22/ssl-termination-load-balancers-java/ .The Load Balancer might causes this type of issue and we need to modify the Tomcat configuration.
The applications works without any issues if we deploy the WAR file on On-prem servers. Issue occurs only in Azure.
The redirectUrl always contains http://xxxxx.azurewebsites.net but in the App registrations the redirectUrl is specified as https://xxxx.azurewebsites.net
Has anyone else faced this issue ? How can this be avoided ?
I have done some research on this. Inside Azure web app, it will always use http as the protocol. You can get the real protocol from the request header.
String currentUri = httpRequest.getRequestURL().toString();
String realProto=httpRequest.getHeader("x-forwarded-proto");
if(realProto!=null) currentUri=currentUri.replaceFirst("http",realProto);