Error AADSTS50011 when using Blazor and AAD in a Azure Container App
I have a .net8 containerized Blazor Server Web app running in an Azure Container App. The application is deployed from the image mcr.microsoft.com/dotnet/aspnet:8.0.1-alpine3.18-amd64.
FROM mcr.microsoft.com/dotnet/aspnet:8.0.1-alpine3.18-amd64 AS base
WORKDIR /app
FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
RUN curl -L https://raw.githubusercontent.com/Microsoft/artifacts-credprovider/master/helpers/installcredprovider.sh | sh
COPY /src .
COPY /NuGet.config .
COPY /Directory.Build.props .
ARG FEED_ACCESSTOKEN
ENV VSS_NUGET_EXTERNAL_FEED_ENDPOINTS="{\"endpointCredentials\": [{\"endpoint\":\"https://pkgs.dev.azure.com/xxx/_packaging/xxx/nuget/v3/index.json\", \"username\":\"docker\", \"password\":\"${FEED_ACCESSTOKEN}\"}]}"
RUN dotnet publish "Portal/Portal.csproj" -r linux-x64 -c Release -o /app/publish /p:UseAppHost=false
FROM base AS final
WORKDIR /app
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "Portal.dll"]
A custom domain has been added so that I can access my app at the URL https://admin-dev.mydomain.ca which redirects the user to https://admin-app-dev-01.xxx.canadacentral.azurecontainerapps.io.
The UI requires user authentication through Azure Active Directory. I have a Registered App set up and the Redirect URL is something like https://admin-dev.mydomain.ca/signin-oidc.
]
I have found many questions on Stack Overflow regarding AADSTS50011 that deals with the TLS termination issue (i.e. the https gets lost in the load balancer). So in my app, I have added the following:
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
builder.Services
.Configure<ForwardedHeadersOptions>
(
options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
ForwardedHeaders.XForwardedProto;
// Only loopback proxies are allowed by default.
// Clear that restriction because forwarders are enabled by explicit
// configuration.
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
}
)
;
...
And later on:
...
WebApplication app = builder.Build();
// This is required to manage the case of the Container App being contacted
// over HTTP which causes a mismatch with the configured Redirect URL.
app.UseForwardedHeaders();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
Problem
I thought I had everything properly configured but it is not the case. When I go to https://admin-dev.mydomain.ca, I am redirected to the AAD login page. I enter my credentials and then it fails when AAD tries to redirect me to http://admin-dev.mydomain.ca because the URL is not part of the authorized Redirect URL.
AADSTS50011: The redirect URI 'http://admin-dev.mydomain.ca/signin-oidc' specified in the request does not match the redirect URIs configured for the application 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.
I thought I had follow the documentation but I obviously missed something and I do not know what.
Question
How do I configure my containerized Blazor app running in a Container App to allow authentication through AAD?
The error usually occurs if the Azure Ad redirect URL is not configured properly that is if the redirect URL is not matching the request redirect URL.
To resolve the error, you have to configure proxy servers and load balancers. Refer this MsDoc
- Set the environment variable
ASPNETCORE_FORWARDEDHEADERS_ENABLEDto true. - Set ssl redirects url to true.
By default, TLS is enabled if the controller redirects HTTP clients to 443 port.
In ingress yaml file,
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
If you are using .NET, then make sure to set headers as true.
References:
Redirect URL changes from https to http after users authenticated with azure active directory in azure aks - Stack Overflow by Hoang Minh
azure - Redirect after authentication is to http when it should be https - Stack Overflow by Itay Podhajcer
- Fast & accurate atan/arctan approximation algorithm
- What's the difference between strtok_r and strtok_s in C?
- How memory address for pointer to arrays is same as an element in 2D array?
- Which is the best way to suppress "unused variable" warning
- How to use ellipsis in c's case statement?
- How can I exclude non-numeric keys? CS50 Caesar Pset2
- Fast ceiling of an integer division in C / C++
- Is there an invalid pthread_t id?
- How does SIMD (avx) processing work? for example, if I want 10 32 bit floats how do i fit in a 256 bit avx vector?
- FDCAN problems on STM32G4
- How does the call macro enable mutual recursion between functions f and g in this Hanoi Tower implementation?
- Running test on Rocket core CPU - global variable initialized to 0 is unsuccessful, output wrong value instead
- Interacting with C arrays without knowing the size
- Combination of two strings
- Avoiding strcpy overflow destination warning
- carriage return by fgets
- How to use special characters in C?
- Why does 1.0/100.0 == 0.1/10.0 give True?
- Is it correct to compare pointers in C?
- Force free() to return malloc memory back to OS
- How can I print to standard error in C with 'printf'?
- What is the standard behavior of fread in C on Windows?
- How is strtok removing lines it shouldn't have access to?
- Using array as smart point in C
- Assigning string to malloced 2d char array not working as intended
- How to refactor repetition inside a Makefile?
- Why does an empty preprocessor command still evaluate to something?
- How to implement variable sized array within C struct
- Character array typecasting to integer
- Handling HTTP Headers in a Minimal C HTTP Server