azureasp.net-core-mvcazure-web-app-servicecloudflareazure-cdn

Override redirect URL in AddMicrosoftAccount() identity OAuth for ASP.NET Core web app

I have a website deployed to Azure. I've used Cloudflare in order to CNAME the azurewebsites domain, and therefore set the redirect URL to the Cloudflare hosted domain name as:

https://www.example.com/signin-microsoft

When I try and login, I get a failure, and the link provided by Microsoft is:

https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.&state=xxx

When I run Fiddler, I can see that the redirect URL passed through by my app, is not the https://www.example.com, but the following:

/common/oauth2/v2.0/authorize?client_id=f0caa31c-3117-4479-a284-65f5a38ff5b6&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_type=code&redirect_uri=https%3A%2F%2Fexample.azurewebsites.net%2Fsignin-microsoft

When I setup the Microsoft OAuth in my app, I have these settings, but I can't find one to override the redirect-url:

services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
{
    microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
    microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:Password"];
});

Does anyone have any suggestions? To complicate the matters, I've got this structure:

Solution

  • The problem is due to a conflict between CloudFlare's CNAME flattening and Azure's CNAME verification. The CNAME flattening essentially returns A records, which speeds up DNS resolution and is a good idea in general. However, Azure's CNAME verification only verifies CNAME records.

    The best workaround I've found is to:

    1.Disable CloudFlare's HTTP proxying (click the orange cloud on that CNAME record so that it turns grey); this also disables CNAME flattening for that record.

    2.Check your host on dig until you see the CNAME records show up.

    3.Verify your CNAME host on the Azure portal.

    4.Re-enable CloudFlare's HTTP proxying (click the grey cloud on that CNAME record so it turns orange).

    This allows you to verify on Azure and still take advantage of CloudFlare's CDN.

    For more details, you could refer to this article.