azure - 当 Azure APP 服务位于 NGINX 等反向代理后面时，如何更改 MSAL 回复 URL？

问题描述

我将跳过通常的关于花费时间、挫折、MS 愚蠢等的咆哮。

我试图尽可能完整

我们有 5 个 Azure 应用服务、3 个 aspdotnet core 5.0 和 2 个 Blazor Server 应用，我们正在使用 Azure AD B2B。

我们让前两个或三个在 Front Door 上工作，然后发现它不支持 SignalR（websockets）。等等，我答应过不吐槽的。

我们切换到 NGINX。

下面是基本配置（全是https）。它很冗长，我在写这篇文章时检查了每一个，希望能找到一个错误。

• app1.azurewebsites.net
• app2.azurewebsites.net
• app3.azurewebsites.net
• app4.azurewebsites.net
• app5.azurewebsites.net

我们需要它像这样工作

• domain.com/ - app1
• domain.com/app2
• domain.com/app3
• domain.com/app4
• domain.com/app5

AD 中的重定向 URI、应用程序配置覆盖和 appsettings.config 设置为

• domain.com/signin-oidc
• domain.com/app2/signin-oidc
• domain.com/app3/signin-oidc
• domain.com/app4/signin-oidc
• domain.com/app5/signin-oidc

我当前的 NGNIX 配置是

   server_name domain.com
   listen 80;
   listen [::]:80;

   listen 443 ssl;

   ssl_certificate /etc/nginx/ssl/mycert.cert;
   ssl_certificate_key /etc/nginx/ssl/mycert.prv;

    location /app2 {
      proxy_pass https://app2.azurewebsites.net/;
       proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   X-Real-Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
    location / {
      proxy_pass https://app1.azurewebsites.net/;
      proxy_redirect          off;
      proxy_set_header        X-Forwarded-Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
   }
}

应用服务都有这个代码。

public void ConfigureServices(IServiceCollection services)
        {

           services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders =
                    ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto | 
             ForwardedHeaders.XForwardedHost;

            });```

When I try domain.com in the browser I get this error


**AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '{ClientId Guid}'.**

When I inspect the request it looks like this

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={ClientId Guid}&redirect_uri=https://app1.azurewebsites.net/signin-oidc ...

This is true for all of the apps

I am at a loss as how to solve this. MS support was no help even in a made up non-NGINX scenario.

I hired a NGINX "expert" who got nowhere.

I have a call scheduled EOW with OKTA, who "believe" they have a solution.

None of this is optimal and has wrecked hours of CI/CD work.

Has anyone made this work? If so how?

TIA

G

标签： azureasp.net-corenginxmsal