2x Azure App Service Web App with Container-Image from Docker-Hub (ironmansoftware/universal:3.7.10-ubunutu-20.04-ps-7.3.0)
Azure SQL Server + DB as backend
Azure DevOps Git Repository for PowerShell Universal Configuration Repository
OIDC SSO with an Azure App Registration
Lets call the app service containers:
APP001
APP002
Our deployment works very well if we browse the app-service urls from each container seperately (https ://APP001.azurewebsites.net or https ://APP02.azurewebsites.net)
As we want to use this deployment as an high-available setup, we want to use a single url for both servers (e.g. https ://APP-HA.ourdomain.com) (a frontend load balancer)
In our case, we use Azure Application Gateway in Standard SKU v1. This works very well for the local (non-sso) login (https ://APP-HA.ourdomain.com/login → bypass oidc)
But as soon as we want to use OIDC and browse to https ://APP-HA.ourdomain.com, PowerShell Universal is redirecting us to APP01.azurewebsites.net/auth/signin-oidc, but is should redirect us to the HA url: https ://APP-HA.ourdomain.com/auth/signin-oidc
Unfortunately, we can only define a relative path in OIDC configuration (“Authentication__OIDC__CallbackPath”: “/auth/signin-oidc”)
How can we redirect to the custom high-available domain after successful login in Azure AD?
The redirectUri in the Azure App Registration is pointing to the high-available uri (https ://APP-HA.ourdomain.com)
It looks like we need to make a tweak to the forwarded headers logic in PSU. The last header (X-Forwarded-Host) is not being processed. It appears we are only passing along the original client IP and protocol. This is why it switches to HTTPS but doesn’t change the forwarded host name.
Obviously, this is a little tweak on our end but will require some testing to ensure that it works for you. I can get this into tonight’s nightly build and deploy a preview docker image if that works for you.
@adam i have seen you already published the 3.7.12 nightly build with the changes on the X-Forwarded-Host header. Thank you for the very quick implementation!
We have now replaced the Azure App Gateway with an Ubuntu VM with Nginx as a reverse proxy for testing.
Unfortunately we still have the same problem, after login it redirects to the hostname of the PSU instance, not to the “shared” name of the application in the reverse proxy (the original URL when called).
If we login via the internal admin user (/login), the redirect is correct (high-available url in the reverse proxy).
So I suspect the problem in connection with PSU and OpenID-Connect.
How do you configure a common URL in a PSU High-Available infrastructure with OpenID-Connect in NGINX?
we continued to research the issue. Apparently, PSU does handle the “x-forwarded-host” header correctly. Unfortunately, in NGINX we cannot set this x-forwarded-host to the shared URL (https://APP-HA.ourdomain.com) because Azure App Services only supports https://APP01.azurewebsites.net or https:// APP02.azurewebsites.net as it knows any other url. This problem can basically be solved, but only for ONE WebApp by configuring a custom domain in Azure App Services. However, this is only ever possible for one web app, since two web apps cannot use the same custom domain.
Now almost everything works WITHOUT the X-Forwarded-host header. Unfortunately only not the authentication.
Yes, please. I understand the issue you’re running into and, while I do not have a solution at this time, opening a case will make sure we prioritize it.