[Bug]Azure AD Application Gateway redirect to /signin-oidc which return 404

[Fresher900]

Which version of Microsoft Identity Web are you using?
Microsoft Identity Web 1.10.0

Where is the issue?

• Web app

Is this a new or an existing app?

c. This is a new app or an experiment.

behavior
I am working on a ASP.net core 3.1 application which works fine on localhost and on our private network. But we want to make it available to some people outside our network, so we are using Azure application gateway for that.

We registered the app on the Application Gateway, but when the link it tried it gets redirect to the [private-network-url]/signin-oidc , which returns a 404.

I expect that when we launch the Application Gateway address, it calls the correct appservice and which will do the authentication and take me to home page.

Possible solution
I read about a possible solution in StackOverflow.
https://stackoverflow.com/questions/48399699/azure-ad-redirect-url-using-application-gateway

I tried it,

            var initialScopes = configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).
                AddOpenIdConnect(options =>
                {
                    Task RedirectToIdentityProvider(RedirectContext ctx)
                    {
                        ctx.ProtocolMessage.RedirectUri = "https://{AzureAppGatewayUrl}/signin-oidc";
                        return Task.FromResult(0);
                    }

                    options.Events = new OpenIdConnectEvents
                    {
                        OnRedirectToIdentityProvider = RedirectToIdentityProvider
                    };
                
                })
                .AddMicrosoftIdentityWebApp(configuration.GetSection("AzureAd"))
                .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                .AddDownstreamWebApi("DownstreamApi", configuration.GetSection("DownstreamApi"))
                .AddInMemoryTokenCaches();

But getting the error below,

Not sure how I would do it with the Microsoft.Identity.Web library?

Is getting 404 an expected behaviour?

[jmprieur]

@NewbieDev123
Could you please try:

ar initialScopes = configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).
    .AddMicrosoftIdentityWebApp(configuration.GetSection("AzureAd"))
       .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                .AddDownstreamWebApi("DownstreamApi", configuration.GetSection("DownstreamApi"))
                .AddInMemoryTokenCaches();

services.Configure<MicrosoftIdentityOptions>(OpenIdConnectDefaults.AuthenticationScheme, 
options =>
{
 Task RedirectToIdentityProvider(RedirectContext ctx)
 {
  ctx.ProtocolMessage.RedirectUri = "https://{AzureAppGatewayUrl}/signin-oidc";
  return Task.FromResult(0);
 }

 var previousEvent = options.Events.OnRedirectToIndentityProvider;
 options.Events.OnRedirectToIdentityProvider = context => { previousEvent(context); RedirectToIdentityProvider(ctx};
  });

However, I think that the right way to achieve what you want is by following the guidance in this article: https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers

[Fresher900]

@jmprieur , thanks for your reply.
I tried your code. I am not sure if I am missing something, but I am getting an error.

[Fresher900]

@jmprieur ,pardon my limited knowledge in Azure Application gateway, but is it a linux container?
I tried to add the below code, but did not work. But I think because mine is a .netcore 3.1 app, I will need to set it in Azure Portal as mentioned in the link you posted before. I will try it and let you know. Thanks.

services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders =
                    ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
            });

[Fresher900]

@jmprieur I tried adding the ASPNETCORE_FORWARDEDHEADERS_ENABLED key in the appsettings of the appservice. But that too did not work.

When I launch the App Gateway URL, it tries to login and then gets redirected to {internalurl}/signin-oidc, which returns a 404. I think it is correct because that is set as the reply url. But doesn't that happens internally.

I mean when I launch the internal url, I have never seen it redirecting to the /signin-oidc, so I thought it might be happening internally. And in this case it goes directly to the home page. I believe after login the authentication server might be sending some information(tokens) to the /sigin-oidc and gets redirected to homepage.Is that right?

I cannot understand why that does not happen when the appservice is registered in the App Gateway.

[jennyf19]

@NewbieDev123 did you add this in Configure:
app.UseForwardedHeaders();

[Fresher900]

@jmprieur , yes I did.

I removed it when I added the ASPNETCORE_FORWARDEDHEADERS_ENABLED appsetting parameter in the Azure Portal.
Tried adding it back now just because it was mentioned. But both did not work.

[jennyf19]

@Tratcher can you help with this one? thanks.

[Tratcher]

@NewbieDev123 I think your scenario requires ForwardedHeaders.XForwardedHost so it can generate urls using the external host.

            services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;
            });

You can check the troubleshooting output from here to make sure the gateway is sending you an X-Forwarded-Host header.

[Fresher900]

@Tratcher I tried ForwardedHeaders.XForwardedHost, but that did not work. I will go through the troubleshooting document and let you know.

Just one quick question. I was under the impression when we add ASPNETCORE_FORWARDEDHEADERS_ENABLED appsetting parameter in the Azure Portal the middleware will be automatically added and I will not have to add the header code in the StartUp.cs. Is that not the way it works?

[Tratcher]

Just one quick question. I was under the impression when we add ASPNETCORE_FORWARDEDHEADERS_ENABLED appsetting parameter in the Azure Portal the middleware will be automatically added and I will not have to add the header code in the StartUp.cs. Is that not the way it works?

Yes it should, though that doesn't include X-Forwarded-Host by default.
https://github.com/dotnet/aspnetcore/blob/72444f90d1e9cb8ff2e7364168eea9baec6e8e92/src/DefaultBuilder/src/WebHost.cs#L247-L258

[freemstr]

I seem to be encountering the same issue.
Could you please suggest a way of setting redirect_uri based on XForwardedHost value?

App Gateway is listening on dev-ex.companyname.com
Site is hosted on companyname.azurewebsites.net on a windows service

Rewrite rule is setting X-Forwarded-Host

HttpContext.Request.Headers are as follows:
X-AppGW-Trace-Id :24e1a4fc990a5bac6e6592676342d8f2;
X-ORIGINAL-HOST :dev-ex.companyname.com;
X-FORWARDED-PROTO :https;
X-FORWARDED-PORT :443;
X-Forwarded-For :0.0.0.0:0000; (this works)
X-Original-URL :/healthcheck;
X-Forwarded-Host :dev-ex.companyname.com;

B2C auth is configured for dev-ex.companyname.com/signin-oidc
but redirect_uri being used is companyname.azurewebsites.net

Configuration in the Startup:

services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders = ForwardedHeaders.All;
            });

as well as
app.UseForwardedHeaders();

Thank you.

[Tratcher]

Where is UseForwardedHeaders in your Startup.Configure method? It should be near the top.

What's the current Host header before and after UseForwardedHeaders ?

[freemstr]

@Tratcher
Thank you for prompt response

public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IOptionsMonitor<AppSettings> settings)
        {
            if (settings.CurrentValue.UseDeveloperExceptionPage)
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseForwardedHeaders();

            if (!env.IsDevelopment())
            {
                app.UseHsts();
            }

[freemstr]

@Tratcher

I set up a HealthCheck in a quick prototype project

HttpContext.Request.Host that comes back from the HealthCheck endpoint is companyname.azurewebsites.net

So

Host: companyname.azurewebsites.net
while

X-Forwarded-Host: dev-ex.companyname.com 
X-ORIGINAL-HOST: dev-ex.companyname.com;

There is also

DISGUISED-HOST: companyname.azurewebsites.net
WAS-DEFAULT-HOSTNAME: companyname.azurewebsites.net

Not sure if this has any effect
X-ARR-SSL: .......CN=*.azurewebsites.net.......

[Tratcher]

X-Forwarded-Host is the expected input, so why isn't it being applied.

Try this so we can rule out issues with the IP:

            services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;
            });

Also enable server debug logs to see if there are any complaints on that end.

[jmprieur]

@freemstr did Tratcher's advice solve your issues?

[freemstr]

@jmprieur @Tratcher
Thank you, limiting forwarded headers to ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto and ensuring UseForwardedHeaders are as close to the top as possible took me further in the process.
I still do not have a fully functional configuration with B2C failing to redirect, working theory is that it is due to some further issues with PathBase and likely gateway configuration. I will update here with final successful config.

[freemstr]

@jmprieur @Tratcher
Thank you for your help
Application is working as designed now.

[Fresher900]

Hi @jmprieur @Tratcher
Sorry for the delay in replying.

I tried the logging code and it gave me few details. One error that happen when trying to application gateway endpoint is the below.

[Warning] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler:

'.AspNetCore.Correlation.OpenIdConnect.*********' cookie not found.
[Information] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: Error from RemoteAuthentication: Correlation failed..
[Error] Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware: An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
---> System.Exception: Correlation failed.
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
[Information] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: OpenIdConnect was not authenticated. Failure message: Not authenticated
[Information] Microsoft.AspNetCore.Hosting.Diagnostics: Request finished in 2.****ms 404

Also in the logs I could see the following details.

X-ORIGINAL-HOST: Application_Gateway_url
Host: Internal_ASE_URL
X-AppService-Proto: https
X-Forwarded-For: Client_IP
X-Original-Proto: https
DISGUISED-HOST: Internal_ASE_URL
Cookie: ga*********

I could not find X-Forwarded-Host or X-Forwarded-Proto in the logs.

[smartsavage]

I had a similar issue.
In my case, I use IIS ARR to rewrite the request to http://localhost:5000, but the request gets redirect to http://localhost:5000/signin-oidc after clicking sign in button.
I have following code in startup.cs, but it doesnot work
services.Configure(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});
...
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseForwardedHeaders();

Eventually, I got the redirect uri problem fixed by using following code but get "Correlation failed" error as newbiedev123

        services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme,
                                   options =>
                                   {

                                       var redirectToIdpHandler = options.Events.OnRedirectToIdentityProvider;
                                       options.Events.OnRedirectToIdentityProvider = async context =>
                                       {
                                           // Call what Microsoft.Identity.Web is doing
                                           await redirectToIdpHandler(context);


                                           if (context.Request.Headers.ContainsKey("X-Forwarded-By") && context.Request.Headers.ContainsKey("X-Original-URL"))
                                           {
                                               context.ProtocolMessage.RedirectUri = $"https://{context.Request.Headers["X-Forwarded-By"]}{context.Request.Headers["X-Original-URL"]}/signin-oidc";
                                           }

                                       };
                                   });

any solution to fix "Correlation failed" error?

...

[Tratcher]

@NewbieDev123 that usually indicates an issue with the temp cookies used for authentication. If you capture a network trace with a tool like you should see the cookie properties set on the challenge request. In this scenario I'd guess your cookies are either not marked with SameSite=None or are missing the secure attribute. The secure attribute issue is caused by being behind a proxy and not setting HttpRequest.Scheme back to https. The forwarders described above can help with that.

[Tratcher]

@smartsavage your case is probably the same. Follow the troubleshooting steps here to capture the request headers and figure out how to configure the forwarders.
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-5.0#troubleshoot

Try starting with this:

options.ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;

[smartsavage]

fixed Correlation failed" error with this code

        services.Configure<CookiePolicyOptions>(options =>
        {
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
            options.Secure = CookieSecurePolicy.Always;
            options.HandleSameSiteCookieCompatibility();
        });

[Fresher900]

@Tratcher
Thanks for your reply. So now my Startup looks like the below,

public void ConfigureServices(IServiceCollection services)
{
var initialScopes = configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)            
	.AddMicrosoftIdentityWebApp(configuration.GetSection("AzureAd"))
	   .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
				.AddDownstreamWebApi("DownstreamApi", configuration.GetSection("DownstreamApi"))
				.AddInMemoryTokenCaches();
**
**services.Configure<ForwardedHeadersOptions>(options =>
{
	options.ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;
});
services.Configure<CookiePolicyOptions>(options =>
{
	options.CheckConsentNeeded = context => true;
	options.MinimumSameSitePolicy = SameSiteMode.None;
	options.Secure = CookieSecurePolicy.Always;
	options.HandleSameSiteCookieCompatibility();
});**           

**
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env,
ILogger<Startup> logger)
{
app.UseForwardedHeaders();
app.Use(async (context, next) =>
{
	logger.LogInformation("Request Method: {Method}", context.Request.Method);
	logger.LogInformation("Request Scheme: {Scheme}", context.Request.Scheme);
	logger.LogInformation("Request Path: {Path}", context.Request.Path);

	foreach (var header in context.Request.Headers)
	{
		logger.LogInformation("Header: {Key}: {Value}", header.Key, header.Value);
	}

	logger.LogInformation("Request RemoteIp: {RemoteIpAddress}",
		context.Connection.RemoteIpAddress);

	await next();
});
**
app.UseStaticFiles();

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

**
}

I can see in the logs that OpenId is challenged after every set of headers.

Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: OpenIdConnect was not authenticated. Failure message: Not authenticated
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Authorization failed.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: AuthenticationScheme: OpenIdConnect was challenged.
Microsoft.AspNetCore.Hosting.Diagnostics: Request finished

Also I am still getting the Correlation error.

My application is not a B2C application, it is just an Azure Ad Authenticated application. I thought it was a token based authentication and not cookie based authentication. So what is this temporary cookie used for? Do you have any documentation links for the temporary cookie, please?

I am just wondering if there could be a setting in the application gateway for cookie which is causing the issue?cookie based affinity?

[Tratcher]

Note CookiePolicyOptions is ineffective without the matching UseCookiePolicy middleware.

OpenIdConnectHandler stores temp state in cookies during the login and persists it's results in cookies after so the user remains logged in for future requests.

What's written to the logs by this?

	logger.LogInformation("Request Method: {Method}", context.Request.Method);
	logger.LogInformation("Request Scheme: {Scheme}", context.Request.Scheme);
	logger.LogInformation("Request Path: {Path}", context.Request.Path);

	foreach (var header in context.Request.Headers)
	{
		logger.LogInformation("Header: {Key}: {Value}", header.Key, header.Value);
	}

[Fresher900]

@Tratcher , I realised I missed the cookie policy after posting the comment. Adding it did not make any changes. But I forgot to update the comment.

app.UseCookiePolicy();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();

When I launch the app gateway url, two requests get executed(shown in logs).

1. Get request to the internal ASE url, with the below logs

Request Method: GET
Request Scheme: https
Request Path: /
**
Header: Cookie: Few cookies seperated by ;
Header: Host: Internal_ASE_Url
Header: Max-Forwards: 9
**
Header: X-FORWARDED-PORT: 443
Header: X-ORIGINAL-HOST:Application_Gateway_url
Header: X-Original-URL: /
Header: X-Forwarded-For: Couple of IP's(including Client IP)
**
Header: CLIENT-IP: Client_IP
Header: DISGUISED-HOST: Internal_ASE_Url
Header: X-SITE-DEPLOYMENT-ID: Internal_ASE_Url
Header: WAS-DEFAULT-HOSTNAME: Internal_ASE_Url
Header: X-AppService-Proto: https
Header: X-Forwarded-TlsVersion: 1.2
Header: X-Original-Proto: https
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: OpenIdConnect was not authenticated. Failure message: Not authenticated
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Authorization failed.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: AuthenticationScheme: OpenIdConnect was challenged.

2. Post request to the /signin-oidc

Request Method: POST
Request Scheme: https
Request Path: /signin-oidc
Header: Accept: text/html,***
**
Header: Cookie:; ARRAffinitySameSite=
Header: Host: Internal_ASE_Url
Header: Max-Forwards: 10
Header: Referer: https://login.microsoftonline.com/
**
Header: Origin: https://login.microsoftonline.com
Header: Sec-Fetch-Site: cross-site
Header: Sec-Fetch-Mode: navigate
Header: Sec-Fetch-Dest: document
Header: X-WAWS-Unencoded-URL: /signin-oidc
Header: CLIENT-IP: Client_IP
**
Header: DISGUISED-HOST: Internal_ASE_Url
Header: X-Original-URL: /signin-oidc
Header: X-Forwarded-For: Client_Ip
**
Header: X-AppService-Proto: https
Header: X-Forwarded-TlsVersion: 1.2
Header: X-Original-Proto: https
[Warning] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: '.AspNetCore.Correlation.OpenIdConnect.********' cookie not found.
[Information] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: Error from RemoteAuthentication: Correlation failed..
[Error] Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware: An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
---> System.Exception: Correlation failed.
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
[Information] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: OpenIdConnect was not authenticated. Failure message: Not authenticated

[Tratcher]

Ok, the request headers look fine. The only other thing you haven't shown yet is the response cookies where the .AspNetCore.Correlation.OpenIdConnect is set. We'd need to see all the attributes.

Try this:

	await next();

	foreach (var header in context.Response.Headers)
	{
		logger.LogInformation("Header: {Key}: {Value}", header.Key, header.Value);
	}

[Fresher900]

@Tratcher , the response headers are as below.

1. During the get request after the Open ID was challenged,

Startup: Header: Request-Context: appId=cid-v1: not sure of this ID
Startup: Header: Strict-Transport-Security: max-age=2592000
Startup: Header: Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.AbCd********; expires={date_time} GMT GMT; path=/signin-oidc; secure; samesite=none; httponly, .AspNetCore.Correlation.OpenIdConnect.******; expires={date_time} GMT; path=/signin-oidc; secure; samesite=none; httponly
Startup: Header: Location: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?client_id={clientId}&redirect_uri={internal_ase_url}/signin-oidc&response_type=code&scope=openid%20profile%20offline_access%20api%3A%2F%2F{api_clientid}%2Fapi.read&code_challenge=*****&code_challenge_method=S256&response_mode=form_post&nonce={nonce_value}&client_info=1&x-client-brkrver=IDWeb.1.13.1.0&state={state}&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0
Diagnostics: Request finished in 1.4311ms 302

2. During the post request after the Correlation failed,

[Information] Startup: Header: Strict-Transport-Security: max-age=2592000
[Information] Microsoft.AspNetCore.Hosting.Diagnostics: Request finished in 123.6541ms 404

The reply url is set as the internal_ase_url/signin-oidc. It is strange that when launching the app_gateway_url it gets rediretced to the internal_ase_url/signin-oidc and comes back with 404. Isn't that suppose to happen internally? I mean isn't that handled by the microsoft.identity.web?

[Tratcher]

The client is sending that initial request to app_gateway_url, right? Then the redirect_uri is your issue, it should use the public host visible to the client (app_gateway_url). That's what the client saves the cookies under.

If X-ORIGINAL-HOST is the name of the header the gateway is sending you (I'd mixed that up with the name of the header the middleware stores old values in, it's the same but cased differently), then you need to update ForwardedHostHeaderName.
https://github.com/dotnet/aspnetcore/blob/574a3ff36ab54421dd4f82b4168ad6bf61750e2d/src/Middleware/HttpOverrides/src/ForwardedHeadersOptions.cs#L25

[Fresher900]

@Tratcher thanks.

I will try those and let you know.

[Fresher900]

@Tratcher that worked. Thank you very much.

[ferantivero]

For those like me out there following this great thread that provides a lot of insights, I'd like to add something on top of it while working with App Gw WAF_v2 + Identity + App Services.

I initially followed the idea provided from the docs which consist of re-rewriting the Location response header, and then I found here a simpler solution from the rewrite rules perspective by using the X-Forwarded-Host request header. But no matter what is the approach of your preference, in both cases, if you're using WAF_v2 particularity with the rule-set OWASP, please be aware that you will be still facing Forbidden 403 responses since the firewall is detecting a SQL injection malicious attack apparently from your Identity headers REQUEST_COOKIES:.AspNetCore.Cookies.

Therefore, to get it fully working, it is still required to disable the 942440 rule based on what I am experiencing. This rule is part of OWASP 3.2 and lower versions as well if I am not wrong:

cc/ @Tratcher

[bnbaliga]

We have a similar issue with a Blazor app, we tried everything that is mentioned in the site, what was the final solution? Fresher900 randomly said it worked! But how it worked is not mentioned in detail, can you please help?

[jackplo]

For anyone still struggling with this error or errors such as:
POST https://localhost:44465/signin-oidc 404 (Not Found)
or
Cannot POST /signin-oidc
The newer Angular with ASP.NET Core templates provided by Visual Studio have a file called "proxy.conf.js". You need to be sure to include the callback path inside of this file in order for it to work. So if your callback path is "/signin-oidc" your target in the proxy.conf.js needs to be "/signin-oidc". I can provide more if needed.