问题
I am configuring Authentication for my Web application using Azure App Service. I chose AAD with Express mode to register my application.
It registered my application at AAD with reply-url as https://.azurewebsites.net/.auth/login/aad/callback. I intercepted the requests GET\ POST for above callback. It sends the access token.
Question: I have not implemented the controller for above reply-url in web application. Who is handling it correctly?
Please shed me some light on above callback. Can it be changed to different POST Url if needed?
回答1:
The /.auth/login/{provider}/callback endpoint is exposed by Azure’s own Easy Auth [1].
There’s one for each of the identity providers in [1].
In short, they are responsible for extracting access token etc from the provider, setting cookies and so on. They are handled prior to the request landing in your app.
[1] https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
回答2:
I think you got it wrong.
this is nothing but a login call back i.e. if you open this link directly you will be redirected to the login page of auth provider (google, facebook, AAD etc) and after successful login, it will generate a token and you can use that token to access the API.
you can easily change the post-login URL --> please go to this link and read the whole thread
Other useful links
Facebook auth
回答3:
This is a big post but if you read through you will get the end-to-end view of redirect url story in Azure AD.
Let's say you have a website hosted in azure and it's url looks something like this. Assume that this web app is ad protected.
https://abcd.azurewebsites.net/
When you hit this website through browser and if you are not already authenticated, you will be redirected to a URL like the below one.
https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fabcd.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=<app-client-d>&scope=openid+profile+email&response_mode=form_post&nonce=<nonce-value>&state=redir%3D%252F
Look at the redirect_uri param value in the above URL. I'm pasting the URL decoded value here.
https://abcd.azurewebsites.net/.auth/login/aad/callback
The reason why are getting this url as redirect_uri is defined here.
https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#authentication-flow Please refer "2. Post authentication" definition in the table in Authentication flow section.
This is the default behavior. Whenever you hit https://abcd.azurewebsites.net/ before authentication, the redirect_uri will be <your_domain>/.auth/login/aad/callback
This is the reason why we need to have this URL in the redirect uri's section in the AD app registration. If this URL is not present, AD will simply say you are not authenticated. Hope this makes sense why we fill .azurewebsites.net/.auth/login/aad/callback value there.
Now we know why we are getting redirected to .auth/login/aad/callback. Let's see what happens after authentication. Once you complete the authentication, you will be redirected to .azurewebsites.net/.auth/login/aad/callback. Now this call is handled by the azure's easy auth.
The more important point to notice here is that what is the response to this call.
Pay attention to the status code and location header in the response. Along with this it does a whole lot of things, setting the tokens in cookies. If you are interested to know other response headers, perform a lookup in the developer tools window. (f12 with preserve log option)
It's redirect to the root of the website. This part is done by the Azure's own easy auth.
You can use a custom redirec_uri value if you are using AD for authentication. (this is done by adalapicliens). Just make sure whatever value you put in redirect_uri should be present in AD's Redirect URI section for the authentication to be successful.
If you want to overwrite the default behavior i.e., .azurewebsites.net/.auth/login/aad/callback, you have to use "Application Gateway". You can also overwrite the response location header with application gateway.
来源:https://stackoverflow.com/questions/55398258/what-does-https-myapp-azurewebsites-net-auth-login-aad-callback-mean