.netazure-active-directoryhangfire

Azure AD authentication only working localhost


I've set up OIDC authentication using Azure AD, to only allow certain users to access the Hangfire dashboard. Everything seems to be working locally, running the API through Visual Studio, as well as connecting to the dashboard from the server it's deployed onto. Issues arise when I try to connect from any local machine, to https://my-domain/hangfire.

I've been trying all sorts of different ways to setup .AddMicrosoftIdentityWebApp(), all ending with the same results; working locally and directly from a Chrome instance on the server, but not from any given machine on the network, connecting to https://my-domain/hangfire. I'm presented with a 403 Forbidden.

I've checked my id_token and everything looks as expected, so I'm rather confused about the 403 Forbidden.

I've added the redirect URI's in AAD (ID tokens allowed on app registration):

I've set up the authentication as seen below:

// Webapi OAuth authentication
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

// Webapp OIDC authentication
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAdWebapp"));

// Policies
builder.Services.AddAuthorization(config =>
{
    config.AddPolicy(AutomationSecurityPolicies.Dashboard, policy => policy
        .AddAuthenticationSchemes(OpenIdConnectDefaults.AuthenticationScheme)
        .RequireAuthenticatedUser());
});

// Hangfire dashboard setup
app.UseEndpoints(endpoints =>
{
    endpoints.MapHangfireDashboard("/hangfire")
        .RequireAuthorization(AutomationSecurityPolicies.Dashboard);
});

So far, the only thing I've been able to find is an issue on Hangfire GitHub without any solution. I'm suspecting that this issue has something to do with Azure AD setup, and that it is not Hangfire specific, since the dashboard authentication works as expected.

I'm new to Azure AD authentication, and suppose there's something I've missed, that I just cannot seem to find any documentation on.


Solution

  • I managed to solve the issue myself.

    Using Hangfire's .RequireAuthorization(), I expected no further configuration for this to work. After wondering about this issue for a few days, I remembered that accessing the Hangfire dashboard alwayhs works with local requests.

    From Hangfire documentation

    ...By default Hangfire allows access to Dashboard pages only for local requests...

    This is why the dashboard works fine from localhost running through visual Studio, as well as accessing the dashboard directly from the server.

    Remembering this, I added create a new class from IDashboardAuthorizationFilter, checking whether or not the user is authenticated.

    public class DashboardAuthorizationFilter : IDashboardAuthorizationFilter
    {
        public bool Authorize([NotNull] DashboardContext context)
        {
            var httpContext = context.GetHttpContext();
            return httpContext.User.Identity.IsAuthenticated;
        }
    }
    

    This solved mny issue, and authentication as well as dashboard access using Azure AD, now works as expected.