KeyCloack Settings behind Azure WAG (Web Application Gateway)

Hi guys.

We have a corporative KeyCloak server which sits on Azure Account “A”.

We are now developing an ASP.Net Core Application that is on Azure Account “B”. This application is behind an Azure WAG.

The users access the application from the internet through the WAG and hits the Azure WebApp:
"myexternaldomain" => myinternalazuredomain".

As expected the users is redirected to Keycloak corporate server (SSO). Once the user is logged in, he is being redirected to the callback address.

At this moment we get a exception “Correlation Failed”, “Unknown Location”.

Architecture and Exception below:

We believe that the problem is related to the address the users is using being different from the actual address the server is on. And this makes even more sense when we take into account that it was working fine before the addition of the WAG.

Can you guys give us some insight?


Best Regards

Take Care

1 Like

From your description it is not clear:

  • what WAG is doing - is it just reverse proxy or it is doing also some auth?
  • what generates error (app or WAG)
  • what are you using for auth
  • what is used flow/SSO protocol

1- WAG is just a proxy, there is no authentication;
2- The whole authorization phase works, but then when the callback is called, and the App tries to validate the access, it throws the error (as we could see on fiddler, there is no cookies on this request, which we think is causing the problem);
3- Auth is using keycloak, based on this library: GitHub - elmankross/Jboss.AspNetCore.Authentication.Keycloak
4- OpenId.

Thanks, appreciate the help! :slight_smile:

It doesn’t look like a problem of the Keycloak, but it seems to be a problem of used library. I don’t think that app is validating the access. It is failing on the callback URL - that’s URL where app should get code and exchange it for the token (only token is used for authentication/authorization). You still didn’t disclose used OIDC flow, used library configuration (I would really would like to see that “magic”: Authentication with autosetup through keycloak.json file. All examples in the repo are for bearer-only, are you sure that’s library support web apps and not API only?).
Pardon me a stupid question: does your app has network access to the Keycloak server via URL which was used for the user auth in the browser?

Hey guys, sorry taking long to reply.

We were in the middle of a prod release.

There were a couple things that needed to be done to get KeyCloak + AppService to work in this scenario.

We had to add the same Certs to Wag and AppService, so KeyCloak would understand it as the same request.

Also the network team misconfigured the WAG, and some of the headers were not being forwarded, and KeyCloak would not accept the given Auth Token as valid for the current request.

Any anyone hits the same issues and need help feel free to contact me :slight_smile:

Thanks for your support guys

Best regards

Take Care