Getting ASP.NET Core to Authenticate against Azure AD with Nginx

Monday, May 13, 2019

Getting ASP.NET Core to Authenticate against Azure AD with Nginx

We're in the process of releasing an ASP.NET Core website on an Ubuntu Server using Kestrel with an Nginx reverse proxy, that requires Azure Active Directory authentication for our content editors to get to the back end. Now, normally we like to use Azure AD B2C for just about all of our authentication needs, but because we don't (yet) plan on giving anyone public access to this particular piece of property, we were content to use 'regular' Azure against our organization's AD instance.

We ran into a bit of a problem when pushing into our test subdomain, however - whenever we went to log in, Nginx would give us a 502 error and choke on the /signin-oidc URL link. The Kestrel logs kept showing successful authentication, so it had to be something not getting through between Nginx and Kestrel.

One of the nice things about Azure AD errors is that they seem to closely mimic any issue happening with [Identity Server])(https://identityserver.io/), which is what led us to this post over at StackOverflow. What ended up working for us is the tweak they did to the nginx.conf file, in which we added these lines to the http section:

proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
large_client_header_buffers 4 16k;

A quick save and a restart, and the proxy is now passing our Azure AD cookies successfully into Kestrel.