Issue with OIDC CallbackPath in High-Available Azure App Service Infrastructure

abtimo · February 16, 2023, 4:14pm

Hi everyone,

we have the following deployment:

2x Azure App Service Web App with Container-Image from Docker-Hub (ironmansoftware/universal:3.7.10-ubunutu-20.04-ps-7.3.0)
Azure SQL Server + DB as backend
Azure DevOps Git Repository for PowerShell Universal Configuration Repository
OIDC SSO with an Azure App Registration

Lets call the app service containers:

APP001
APP002

Our deployment works very well if we browse the app-service urls from each container seperately (https ://APP001.azurewebsites.net or https ://APP02.azurewebsites.net)

As we want to use this deployment as an high-available setup, we want to use a single url for both servers (e.g. https ://APP-HA.ourdomain.com) (a frontend load balancer)
In our case, we use Azure Application Gateway in Standard SKU v1. This works very well for the local (non-sso) login (https ://APP-HA.ourdomain.com/login → bypass oidc)

But as soon as we want to use OIDC and browse to https ://APP-HA.ourdomain.com, PowerShell Universal is redirecting us to APP01.azurewebsites.net/auth/signin-oidc, but is should redirect us to the HA url: https ://APP-HA.ourdomain.com/auth/signin-oidc
Unfortunately, we can only define a relative path in OIDC configuration (“Authentication__OIDC__CallbackPath”: “/auth/signin-oidc”)

How can we redirect to the custom high-available domain after successful login in Azure AD?
The redirectUri in the Azure App Registration is pointing to the high-available uri (https ://APP-HA.ourdomain.com)

We get the following error:

adam · February 16, 2023, 4:33pm

Based on that you are being redirect to HTTPS, I assume that you set this but do you have the forwarded headers env var set in your web app?

abtimo · February 16, 2023, 4:50pm

Hi Adam,

thank you for your quick response.

Yes, we have set the forwarded headers env variable.

Here are some of our variables:

adam · February 16, 2023, 7:44pm

It looks like we need to make a tweak to the forwarded headers logic in PSU. The last header (X-Forwarded-Host) is not being processed. It appears we are only passing along the original client IP and protocol. This is why it switches to HTTPS but doesn’t change the forwarded host name.

            app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto // | ForwardedHeaders.XForwardedHost
            });

Obviously, this is a little tweak on our end but will require some testing to ensure that it works for you. I can get this into tonight’s nightly build and deploy a preview docker image if that works for you.

abtimo · February 16, 2023, 7:50pm

that would be phenomenal, as soon as we get the preview image we’ll test it and give you feedback

abtimo · February 18, 2023, 3:38pm

@adam i have seen you already published the 3.7.12 nightly build with the changes on the X-Forwarded-Host header. Thank you for the very quick implementation!

since we run psu completely serverless with Azure App Services, I wanted to download the Docker image.

In the download area I only found the installers, in Docker-Hub there is only version 3.7.11.

Do you already have the 3.7.12 preview available as a Docker image?

We are currently running on ironmansoftware/universal:3.7.10-ubunutu-20.04-ps-7.3.0

adam · February 20, 2023, 2:41pm

This has been pushed to docker hub under the preview tag.

ironmansoftware/universal:preview

abtimo · February 23, 2023, 1:47pm

Hi @adam ,

unfortunately, the preview didn’t work for us, after updating our app to preview, it says version 3.7.0.

We upgraded to the new 3.7.12 release, but he still have the same issue:

After login, it is still redirecting to one of the app service urls.