Microsoft identity - Issues connecting through CDN

[davebally]

Hi there,

Im using Microsoft Identity( AddMicrosoftWebAppAuthentication) to authenticate users.
This all works fine when using localhost for dev and when deployed to our K8S clusters, lets call them east and west ie east.myorg.com and west.myorg.com.

So i can goto https://east.myorg.com and https://west.myorg.com and get authenticated.
However when i used a CDN to control the traffic ( say https://mycdn.myorg.com ) it fails as the redirection is to east or west.myorg.com.

Now the CDN has to rewrite the the HOST header so that the request gets routed internally ( not sure if this is part of the problem or not) but when i goto https://mycdn.myorg.com that presents both east and west sites , i get routed to https://east(or west).mysite.org/signin-oidc.

When using AddMicrosoftAccount you can use the events to control the redirect url, however i cant find the secret sauce to do similar with AddMicrosoftWebAppAuthentication.

Any ideas?

Thanks
Dave

[Tratcher]

Does the cdn forward you the original host header? E.g. "x-forwarded-host: mycdn.myorg.com"?

See the proxy docs for fixing up the host on the request rather than trying to customize the redirect.
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3.1

[davebally]

Hi Chris, yes is does and have double checked with a controller that just outputs the headers. Ive even tried some middleware that updates the host to x-forwarded-host. When i do that i get

`An unhandled exception occurred while processing the request.
Exception: Unable to unprotect the message.State.
Unknown location

Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()`

Im not sure if thats a step backwards or forwards :)

[Tratcher]

That does sound like progress, you wouldn't get that error until after the redirect.

Are you running multiple instances of your site such that the client may return to a different one after the redirect? If so you'll need to set up the DataProtection to be shared.
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/web-farm?view=aspnetcore-3.1#data-protection

[davebally]

Hi Chris, thanks for your help. Thats seems to have got it. Ive gone down to 1 replica and its working as expected. I fixed a bug in the middleware that was causing the occasional 500 error too.