OpenIDConnect through App Gateway

[cnshenj]

Hi,

We have an ASP.NET Core 3.1 API app running in Azure App Service without any problem. OpenIDConnect works fine through callback path, e.g. https://foobar.azurewebsites.net/signin.

Now we want customers access the API through an App Gateway, for two reasons:

1. The address is consistent with other services, e.g. https://mydomain/svc, https://mydomain/foobar
2. We can change the hosting service without changing the access address. All we need to do is change App Gateway configuration to point to the address of the new hosting service.

When using the App Gateway address to access the API (https://mydomain/foobar), OpenIDConnect fails 100% with "Correlation failed. Unknown location" error. Any advice?

Startup

            services
                .AddAuthentication(
                    options =>
                    {
                        options.DefaultScheme = AzureADDefaults.JwtBearerAuthenticationScheme;
                        options.DefaultSignInScheme = AzureADDefaults.CookieScheme;
                    })
                .AddAzureADBearer(options => this.Configuration.Bind("AzureAd", options))
                .AddAzureAD(options => this.Configuration.Bind("AzureAd", options));

Network

1. Request: https://mydomain/foobar/<controller>/<action>
   Response: 302 (AAD authorize)
2. Request: https://login.microsoftonline.com/<tenant_id>/oauth2/authorize?client_id=<client_id>&redirect_uri=https://mydomain/foobar/signin&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=<nonce>&state=<state>&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0
   Response: 200
3. Request: https://mydomain/foobar/signin
   Response: 500 (Correlation failed. Unknown location)

[Tratcher]

Adding a proxy is prone to breaking link/redirect generation as well as cookie attributes. See https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3.1 for proxy guidance and troubleshooting steps.

The other tool to debug this is Fiddler. Most likely there's an issue with the cookies set on response 1 so that they're not sent on request 3. Can you share those cookies?