Search code examples
c#azure-web-app-serviceazure-ad-b2cazure-front-door

'redirect_uri_mismatch', error_description: 'AADB2C90006: for Web app hosted in App service behind Frontdoor

My web app is developed using Aspnet Razor pages which uses AD B2C for authentication. This works locally without any errors. I have followed the instructions to setup the RedirectUrl in B2c and configure the same url for CallbackPath (without the base url, as shown below) in the appsetting.json file.

  "AzureAdB2C": {
    "Instance": "#{ADB2C_Instance}#",
    "ClientId": "#{ADB2C_ClientId}#",
    "Domain": "#{ADB2C_Domain}#",
    "SignUpSignInPolicyId": "#{ADB2C_SignUpSignInPolicyId}#",
    "TenantId": "#{ADB2C_TenantId}#",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath ": "/signout-callback-oidc",
    "ClientSecret": "#{ADB2C_ClientSecret}#"
  }

In Azure, its setup this way -

Frontdoor => App Service

Custom domain is setup on the Frontdoor (https://abc.testwebsite.com) and App Service default url (https://abc-testwebsite.azurewebsites.net)

In the ADB2c, app registration I have added the RedirectUrl using Frondoor custom url (https://abc.testwebsite.com/signin-oidc)

Nuget Microsoft.Identity.Web is doing all the magic for the login. It automatically redirects to the AD b2c sigin-oidc. This works correctly in the local pc. However, in Azure, as the "CallbackPath" is without the baseurl, its picking up the App service default base url and failing with the error - 'redirect_uri_mismatch'. I tried adding the App service Url in the AD b2c then it redirects to App service url ( https://abc-testwebsite.azurewebsites.net/signin-oidc) instead of Frontdoor Url (https://abc.testwebsite.com/signin-oidc)

Is there a workaround available for this? or am I missing some configuration?

Solution

  • Finally managed to solve this problem -

    Azure App service uses XForwardedHeaders to determine the host name. I have added the below lines in the program.cs. That did the trick. It automatically picked the correct host name after this change and logged in correctly.

     services.Configure<ForwardedHeadersOptions>(options =>
    {
      options.ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;
    });

.....

//Forwarded headers middleware should run before other middleware
app.UseForwardedHeaders();