Changing the domain name for AAD auth with openIdConnect for multi node multi geo applications

问题

I am using Asp.Net Core 2.2 and targeting .NET Framework 4.7.2. Ours is a multi cluster, multi node app. We are using Azure AD with OpenId Connect for authenticating the user.

Our Startup.cs looks like this :

        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });

        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options =>
            {
                options.Instance = Constants.Instance;
                options.CallbackPath = "/signin-oidc";
                options.ClientId = Constants.ClientId;
                options.TenantId = "organizations";
            });

        services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
        {
            options.Authority = options.Authority + "/v2.0/";
            options.TokenValidationParameters.ValidateIssuer = true;
            options.TokenValidationParameters.IssuerValidator = ValidateIssuerWithPlaceholder;
            var jwtHandler = new JwtSecurityTokenHandler();
            jwtHandler.InboundClaimTypeMap.Clear();
            options.SecurityTokenValidator = jwtHandler;
        });

             services.AddDataProtection()
            .PersistKeysToAzureBlobStorage(blob)
            .ProtectKeysWithCertificate(certificate)
            .UnprotectKeysWithAnyCertificate(certificate)
            .SetApplicationName("myService");

Since we have a routing layer involved the user gets successfully logged into dnsFront.myservice.com (callback path generated :- dnsFront.myservice.com/signin-oidc) and then the call gets forwarded to location1.myservice.com. After reaching the new cluster the call fails. I can see that the cookies by the middleware including the cookie named AspNetCore.AzureAdCookie are set for domain dnsFront.myservice.com too.

My hunch is, since the cookies are getting set for dnsFront.myservice.com and not for the domain of the new location or even for (myservice.com) the call fails. Is that the reason of the call failing? How can we change the domain of the cookies set by middleware to myservice.com if that is the issue?

If that is not the reason the call is failing, how do we ensure that the user once logged on once into our app does not gets errored out for calls that get forwarded to another cluster of the same app.

Note : The calls that do not get forwarded by our routing layer are always working as expected.

来源：https://stackoverflow.com/questions/64348505/changing-the-domain-name-for-aad-auth-with-openidconnect-for-multi-node-multi-ge