We believe that the problem is related to the address the users is using being different from the actual address the server is on. And this makes even more sense when we take into account that it was working fine before the addition of the WAG.
1- WAG is just a proxy, there is no authentication;
2- The whole authorization phase works, but then when the callback is called, and the App tries to validate the access, it throws the error (as we could see on fiddler, there is no cookies on this request, which we think is causing the problem);
3- Auth is using keycloak, based on this library: GitHub - elmankross/Jboss.AspNetCore.Authentication.Keycloak
4- OpenId.
It doesn’t look like a problem of the Keycloak, but it seems to be a problem of used library. I don’t think that app is validating the access. It is failing on the callback URL - that’s URL where app should get code and exchange it for the token (only token is used for authentication/authorization). You still didn’t disclose used OIDC flow, used library configuration (I would really would like to see that “magic”: Authentication with autosetup through keycloak.json file. All examples in the repo are for bearer-only, are you sure that’s library support web apps and not API only?).
Pardon me a stupid question: does your app has network access to the Keycloak server via URL which was used for the user auth in the browser?
There were a couple things that needed to be done to get KeyCloak + AppService to work in this scenario.
We had to add the same Certs to Wag and AppService, so KeyCloak would understand it as the same request.
Also the network team misconfigured the WAG, and some of the headers were not being forwarded, and KeyCloak would not accept the given Auth Token as valid for the current request.
Any anyone hits the same issues and need help feel free to contact me