azure - 当 Azure APP 服务位于 NGINX 等反向代理后面时,如何更改 MSAL 回复 URL?
问题描述
我将跳过通常的关于花费时间、挫折、MS 愚蠢等的咆哮。
我试图尽可能完整
我们有 5 个 Azure 应用服务、3 个 aspdotnet core 5.0 和 2 个 Blazor Server 应用,我们正在使用 Azure AD B2B。
我们让前两个或三个在 Front Door 上工作,然后发现它不支持 SignalR(websockets)。等等,我答应过不吐槽的。
我们切换到 NGINX。
下面是基本配置(全是https)。它很冗长,我在写这篇文章时检查了每一个,希望能找到一个错误。
- app1.azurewebsites.net
- app2.azurewebsites.net
- app3.azurewebsites.net
- app4.azurewebsites.net
- app5.azurewebsites.net
我们需要它像这样工作
- domain.com/ - app1
- domain.com/app2
- domain.com/app3
- domain.com/app4
- domain.com/app5
AD 中的重定向 URI、应用程序配置覆盖和 appsettings.config 设置为
- domain.com/signin-oidc
- domain.com/app2/signin-oidc
- domain.com/app3/signin-oidc
- domain.com/app4/signin-oidc
- domain.com/app5/signin-oidc
我当前的 NGNIX 配置是
server_name domain.com
listen 80;
listen [::]:80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/mycert.cert;
ssl_certificate_key /etc/nginx/ssl/mycert.prv;
location /app2 {
proxy_pass https://app2.azurewebsites.net/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header X-Real-Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass https://app1.azurewebsites.net/;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
应用服务都有这个代码。
public void ConfigureServices(IServiceCollection services)
{
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto |
ForwardedHeaders.XForwardedHost;
});```
When I try domain.com in the browser I get this error
**AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '{ClientId Guid}'.**
When I inspect the request it looks like this
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={ClientId Guid}&redirect_uri=https://app1.azurewebsites.net/signin-oidc ...
This is true for all of the apps
I am at a loss as how to solve this. MS support was no help even in a made up non-NGINX scenario.
I hired a NGINX "expert" who got nowhere.
I have a call scheduled EOW with OKTA, who "believe" they have a solution.
None of this is optimal and has wrecked hours of CI/CD work.
Has anyone made this work? If so how?
TIA
G
解决方案
我相信这是一种解决方法,但您是否尝试将 AD 的重定向 URI 更改为 *.azurewebsites.net 而不是 domain.com/appN/signin-oidc?
推荐阅读
- swagger - 是否可以在 OpenAPI 3.0 的根级别指定默认请求/响应格式?
- google-sheets - 如何使用 IFS 函数“关闭”我的索引公式?
- python-3.x - 该插槽不适用于 QListWidget itemClicked (pyqt)
- vue.js - 用户在 vuejs 中的 FullCalendar 切换事件
- c++ - 枚举可变参数模板参数包
- xml - 如何在 XML 中处理 # 和多个 tns:?
- reactjs - 单击主体上的侦听器(某些 div 除外)
- sql - HIVE:使用原始表中特定列的 n 值创建一个包含 n 列的新表
- r - 如何将日期转换为最近的周末(星期六)
- vbscript - 带小时和分钟的 VBS 时间范围