I have an .net .6 linux application behind an httpd reverse proxy.
When redirected to azure for authentication, I get the following error
AADSTS90102: 'redirect_uri' value must be a valid absolute URI.
And the URL above is
I think the big takeaway here is redirect_uri=http%3A%2F%2F%28null%29%2Fsignin-oidc
I have all the following in my Program.cs
// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy.
options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages()
.AddMicrosoftIdentityUI();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseForwardedHeaders();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.MapRazorPages();
app.MapControllers();
app.Run();
And my appsettings.json is
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain.com",
"TenantId": "xxx",
"ClientId": "yyy",
"CallbackPath": "/signin-oidc"
}
My Enterprise application has the following URL
https://somesite-dev.mydomain.com/signin-oidc
And my httpd configuration has
ServerName somesite-dev.mydomain.com
ProxyRequests Off
RequestHeader set Host %{HOST}s
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
RequestHeader set X-Forwarded-Host %{SERVER_NAME}s
ProxyPass / http://1.2.3.4:8888/
ProxyPassReverse / http://1.2.3.4:8888/
xxx,yyy,zzz, somesite-dev, and mydomain.com are changed for security reasons.
With all that, why is my redirect URI null? This works fine from the VS debugger
I have removed additional entries from the Enterprise Application, to contain only ServerName somesite-dev.mydomain.com
[Azure AD Callback][1] [1]: https://i.stack.imgur.com/8cr7x.png
Update 1
It is no longer null, but I get this instead
AADSTS50011: The redirect URI 'https://1.2.3.4:8888/signin-oidc' specified in the request does not match the redirect URIs configured for the application 'yyy'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
The IP matches the server behind the reverse proxy
ProxyRequests Off
RequestHeader set Host somesite-dev.mydomain.com
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
RequestHeader set X-Forwarded-Host %{SERVER_NAME}s
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
ProxyPass / http://1.2.3.4:8888/
ProxyPassReverse / https://somesite-dev.mydomain.com/
Update 2
I've had to add this line to my Program.cs and now it works.
uilder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.RedirectUri = "https://somesite-dev.mydomain.com/signin-oidc";
return Task.CompletedTask;
}
};
});
You must use HTTPS for the redirect URI because otherwise cookies (due to the samesite attribute) will be blocked, and everything will break.
Perhaps remove as this is typically set as the default anyway.
r make the URL in there absolute, like: