Deploying web apps to App Services as Linux containers

What is the issue?

Normally, Microsoft Identity Web computes the redirect URI automatically depending on the deployed URL.

However, when you deploy web apps to App Services as Linux containers, your application will be called by App Services on an HTTP address, whereas its registered redirect URI in the app registration will be HTTPS.

This means that when a user browses to the web app, they will be redirected to login.microsoftonline.com as expected, but with redirect_uri=http://<your app service name>.azurewebsites.net/signin-oidc instead of redirect_uri=https://<your app service name>.azurewebsites.net/signin-oidc.

How to fix it?

In order to get the right result, the guidance from the ASP.NET Core team for working with proxies is in Configure ASP.NET Core to work with proxy servers and load balancers. You should address the issue centrally by using UseForwardedHeaders to fix the request fields, like scheme.

The container scenario should have been addressed by default in .NET Core 3.0. See Forwarded Headers Middleware Updates in .NET Core 3.0 preview 6. If there are issues with this for you, please contact the ASP .NET Core team https://github.com/dotnet/aspnetcore, as they will be the right team to assist with this.

Historical perspective

For more examples of the issue, as well as the history of how Microsoft Identity Web attempted to manage the issue in the past, see issue #115.

Issues with load balancing across multiple regions, using Front Door

See Azure AD issues with load balancing across multiple regions on stack overflow.

The user sometimes get the error:

Status.AppServices.Middleware.ProductionExceptionMiddleware: Unhandled exception occurredSystem.Exception: An error was encountered while handling the remote login.
---> System.Exception: Unable to unprotect the message.State.

To fix it, set up an additional HTTP-only routing rule in Front Door that redirects all HTTP traffic to the HTTPS-exclusive rule