Azure API Management with OAuth2.0 and AAD login causes repeated loop

[manisha201301]

Hi everyone,

We have a simple web application and I am trying to use Azure API Management on top of it. Right now, I am redirecting the CName of our web application product to the apim url.

Our web application is a first party application and it performs AAD auth from Microsoft.Identity.Web nuget package and gets the access_token as below:

string accessToken = tokenAcquisition.GetAccessTokenForUserAsync(new[] { Configuration["Scopes:<product>"] }).GetAwaiter().GetResult();

Right now, I am redirecting all the traffic (GET /* and POST /*) from the CName to the apim url.
Without the APIM usage, our Network Calls (Successful) looks like this:

However, on adding the APIM layer, our Network Calls looks like this:

Somehow the /signin-oidc request redirects the call tologin.microsoftonline.com/..instead of authorizing the request and redirecting back to the root (path: '/') of the caller page.

We get repeated loop:
apim-url => login.microsoftonline.com/consumers/.. => login.live.com/... => apim-url/signin-oidc => login.microsoftonline.com/consumers => ...

I am not sure if the redirect isn't working correctly or if the auth is not working.

Any leads would be helpful,
Thanks,

Manisha

[jmprieur]

@manisha201301
as discussed offline, I think that APIM is for web APIs, not web apps.
I recommend you sync up with Hirsch (@hpsin) for the lost cookies between APIM and your app

[hpsin]

The app that owns signin-oidc is failing to set cookies or validate the succesful response correctly. Most likely it's because Domain A (apim) is setting the state parameter, and Domain B is trying to validate it using MSAL.something. The states fail to match, because Domain B never set it appropriately.

The correct architecture is for APIM to redirect to the app, and then for the app to redirect to the login page, ensuring that the app is in control of the start and end of the login flow.

[manisha201301]

We are currently doing that only. we first hit the apim url which then calls the application url and is supposed to pass down all the cookies. Authentication is done at our web application's side. What is Domaoin B here?

[hpsin]

I am assuming that apim and signin-oidc are not hosted on the same domain. So APIM is Domain A, and signin-oidc is Domain B. "pass down all the cookies" can have some different meanings, what do you mean by that?