1. 技术文章
  2. signin-oidc Also Tries to Call Internal FQDN

signin-oidc Also Tries to Call Internal FQDN

99封情书 提交于 2020-08-10 22:48:18

问题


We have an ASP.NET Core application that uses the OpenId Connect authentication protocol. In Azure AD B2C we setup the external FQDN (domain alias) (https://externallink.company.com) as the redirect URI. What we noticed is that after redirecting to https://externallink.company.com/signin-oidc it then redirects to the internal FQDN https://internallink.company.com/signin-oidc which is the URL of the App Service in Azure. The internal link is not accessible outside the company's network and should stay that way.

The error that we got is this:

redirect_uri_mismatch&error_description=AADB2C90006: The redirect URI 'https://internallink.company.com/signin-oidc' provided in the request is not registered for the client id 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx'.%0D%0ACorrelation ID

This is how we have setup the authentication in the Startup class.

Should I specifically put the Callback path so that OpenId does not attempt to call the internal FQDN?

Update:

If I try to add the internal FQDN in the list of redirect URIs I will be able to sign in but afterwards I will get this error (URL is https://internallink.company.com/signin-oidc). This is expected because as I've mentioned the internal URL cannot be accessed via the public internet.

Update 2:

Based from the logs of WAF it does not redirect to https://internallink.com/signin-oidc. After authenticating it goes to https://externallink.com/api/foo which is the desired outcome.


回答1:


You need to register in Azure AD the exact redirect URL to use and it should match the redirect URL you sent to Azure AD.

It's a security feature to restrict the allowed redirect-url. Accepting any URL would introduce a major security vulnerability.




回答2:


It seems that I was able to solve this problem on my own. I just have to set the ProtocolMessage.RedirectUri under the OnRedirectToIdentityProvider event to the external FQDN.

services.AddAuthentication(options => { ... })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
       ...

       options.Events.OnRedirectToIdentityProvider = context => 
       {
           context.ProtocolMessage.RedirectUri = "https://externallink.com/signin-oidc";
           return Task.FromResult(0);
       };
    });


来源:https://stackoverflow.com/questions/63250093/signin-oidc-also-tries-to-call-internal-fqdn

标签
asp.net-core
openid-connect
azure-ad-b2c
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!