Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
668 questions
How to perform authentication in container apps through Front Door's custom domain?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 37%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Boyan Stefanov
20
Reputation points
I have a container app hosting a service that's currently publicly accessible. I'd like to add an authentication/authorization mechanism to the container app so it requires a login from Entra ID first(via front door custom domain).
Our container app and container app environment are with enabled ingress and limited to VNET only. We use Front Door premium with a private endpoint connection and Front Door is used to route the requests with an origin group(pointing to the origin host name of the container app) and route(pattern to match /allure-docker-service/ and origin path /allure-docker-service) to the container app.
I tried following the steps outlined in https://video2.skills-academy.com/en-us/azure/container-apps/authentication-entra#-create-an-app-registration-in-microsoft-entra-id-for-your-container-app and created & setup the app registration, but when we visit our service' public url (<custom domain>/allure-docker-service/projects/default/reports/latest/index.html) we are being redirected to https://<container app application url>/.auth/login/aad/callback which doesn't work because the container's not publicly available.
What is the correct configuration I should use to set up front door and the app registration in this case?
EDIT: This is what we currently have in Web > Redirect URIs:
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sina Salam 10,036 Reputation points2024-08-21T16:33:08.0966667+00:00 Hello Boyan Stefanov,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you are having challenges to perform authentication in container apps through Front Door's custom domain.
To configure authentication and authorization for your Azure Container App with Front Door and Microsoft Entra ID, you will need to create an App Registration Automatically. From Azure portal you will navigate to your app and select Authentication, to add Identity Provider by selecting Microsoft as the identity provider. By default, the option to create a new registration is selected. You can customize the registration name and supported account types and configure your client secret to generate and store as a secret in the container app. https://video2.skills-academy.com/en-us/azure/container-apps/authentication-entra
Also, if you like you can configure it manually.
You can check a similar answer here if you use a private link https://video2.skills-academy.com/en-us/answers/questions/1689342/front-door-with-azure-container-apps-and-private-l
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam
-
Boyan Stefanov 20 Reputation points
2024-08-22T07:54:31.4766667+00:00 @Sina Salam We went with the manual way but this doesn't answer my question. I went through the thread that you linked prior to posting my question but it is unclear as it didn't involve a custom domain at first. Also more details are needed on how to implement the "Secondly, in Container App Configuration, you will need to enable authentication, configure Azure AD settings, and set the redirect URI to the Front Door URL." and "You should consider using a custom domain, both in AFD and Internal Container Apps
- Let's consider this as "app.contoso.com"
- This way, the host name between Client to AFD and AFD to the ILB will remain the same."
Edit: I tried following the steps here https://techcommunity.microsoft.com/t5/apps-on-azure-blog/configure-container-app-behind-front-door-with-custom-domain/ba-p/3815048 and one of the considerations is "If you have deployed your container app environment in a custom VNET, ensure that the DNS is configured accordingly so that the Front door will be able to access the container app (https://video2.skills-academy.com/en-us/azure/container-apps/networking#dns)" - I tried creating such a private dns zone but it still doesn't seem to work.
-
KapilAnanth-MSFT 44,311 Reputation points Microsoft Employee2024-08-26T10:27:33.6+00:00 I see Sina Salam has shared a similar thread : https://video2.skills-academy.com/en-us/answers/questions/1689342/front-door-with-azure-container-apps-and-private-l on how to achieve this.If you would like to have an Entra authentication, you should add the custom domain to the backend PaaS Service (Container Apps).
Can you confirm if a custom domain is added to your Container Apps?
Cheers,
Kapil
-
Boyan Stefanov 20 Reputation points
2024-09-09T08:12:10.21+00:00 The link you mentioned was already sent by @Sina Salam and the solution mentioned there is based on classic frontdoor, and the solution you provided there involves adding a custom domain.
And to answer your question, yes, we do have custom domain added to our Container Apps.
EDIT: I have also tried to implement the solution mentioned here (leaving the origin host header blank for azure frontdoor premium): https://video2.skills-academy.com/en-us/azure/architecture/best-practices/host-name-preservation#azure-front-door
-
KapilAnanth-MSFT 44,311 Reputation points Microsoft Employee
2024-09-09T09:47:52.98+00:00 @Boyan Stefanov , Thanks for the info.
As next steps,
- Do not include the container Apps default URL in the Redirect URI, only include the Custom domain
And let us know if the issue persists
Cheers,
Kapil
Sign in to comment
Sign in to answer