将 AAD B2C 与应用程序网关(/与 Kubernetes)一起使用不起作用 => 404

架构
我们的web应用程序正在部署到我们的kubernetes集群，这些集群正在通过入口扩展(Azure网关入口(集成到我们的应用程序网关中。如果您导航到web应用程序，您需要在我们的AAD B2C中通过配置的应用程序注册进行登录和身份验证。

web应用程序本身托管在kubernetes集群的80端口上，但可以通过应用程序网关内的https访问。应用程序网关将具有必要的证书等等。docker compose(pod的部署(已经启用了环境变量"；FORWARDING_HEADERS"；。

AAD B2C确实配置了正确的重定向URI。

启动.cs

public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI()
.AddJsonOptions(options => options.JsonSerializerOptions.PropertyNamingPolicy = null)
.AddDapr();
services.AddCookiePolicy(options =>
{
options.Secure = CookieSecurePolicy.Always;
options.MinimumSameSitePolicy = SameSiteMode.None;
options.HandleSameSiteCookieCompatibility();
});

services.UseCoCoCore()
.UseCoCoCoreBootstrapper<CoreComponent>()
.UseCoCoCoreBootstrapper<UiComponent>()
//the following line is registering the AuthComponent, see below for more details
.UseCoCoCoreBootstrapper<UiAuthComponent>();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory, ILog logger)
{
loggerFactory.AddSerilog(logger.GetLogger(), dispose: true);
if (!env.IsDevelopment())
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseCookiePolicy();
//app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}

AuthComponent.cs基本上就是这个

public void RegisterAuthorization(IConfiguration configuration, string configSectionName, string[] intialScopes)
{
_serviceCollection.AddMicrosoftIdentityWebAppAuthentication(configuration, configSectionName)
.EnableTokenAcquisitionToCallDownstreamApi(intialScopes)
.AddInMemoryTokenCaches();
_serviceCollection.AddAuthorization(options =>
{
options.AddPolicy("IsGroupMember",
policy => { policy.Requirements.Add(new IsGroupMemberRequirement()); });
}););
}

我正在使用具有此属性的配置

{
"AzureAdB2CConfig": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "myAaadB2c.onmicrosoft.com",
"ClientId": "<client-id>",
"TenantId": "<tenant-id>",
"ClientSecret": "<client-secret>",
"CallbackPath": "/myapp/signin-oidc"
}
}

我的期望
导航到我们的https://custom.domain.com/myapp/应该允许我对自己进行身份验证，并转发到我的web应用程序的所需入口点，例如。https://custom.domain.com/myapp/Overview

实际发生了什么
以下场景正在正常工作，没有任何问题：

• 通过localhost在我的机器上运行应用程序
• 在我的kubernetes集群中运行应用程序，通过LoadBalancer公开，并通过公共IP访问它

如果我正在导航到以下urlhttps://custom.domain.com/myapp/，我正在获取HttpStatusCode 404。404大约是"/signin oidc"；他找不到。我已经通过浏览器检查了标题条目，它看起来对我来说还可以。我的标题的主机名也是正确的(custom.domain.com(。

附加信息
入口配置

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: myapp
namespace: myapp-namespace
annotations:
appgw.ingress.kubernetes.io/appgw-ssl-certificate: myCert
appgw.ingress.kubernetes.io/backend-hostname: custom.domain.com
appgw.ingress.kubernetes.io/backend-path-prefix: /
appgw.ingress.kubernetes.io/cookie-based-affinity: 'true'
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- http:
paths:
- path: /myapp/*
pathType: Exact
backend:
service:
name: myapp-service
port:
number: 80