This guide only applies if Azure App Proxy is configured to use Azure Active Directory (AAD) for pre-authentication before accessing your Hudu instance. If Azure App Proxy is already set to passthrough pre-authentication, please submit a support ticket.
The Problem
When hosting Hudu behind Azure App Proxy with AAD pre-authentication, you may find that the mobile app prompts an error stating "your session has expired, please sign in again and retry" upon signing in. This error prompts because HTTP requests to the mobile app's endpoints are rejected as AAD pre-authentication has not been completed for the request.
The Resolution
The resolution requires a few changes within your Azure App Proxy configuration. Specifically, the data and authentication endpoints for the mobile app must be added to your Azure App Proxy as applications that passthrough AAD pre-authentication. The endpoints will still require authentication from the user's Hudu session via an authentication token. At this time, this appears to be the only way to configure Azure App Proxy to work with the mobile app. The steps to perform the configuration changes are outlined below.
Configuring Azure App Proxy
- Log in to the Azure Portal (https://portal.azure.com).
- Select Azure Active Directory.
- From the sidebar, select Application Proxy.
- Select Configure an App.
- For the data endpoint, on the "Add your own on-premises application" screen, enter the following details (see below for an example of data endpoint).
-
Name.
- Any name you want to identify the application.
-
Internal URL.
- Your internal Hudu instance URL followed by /external_apps/ (with slashes).
- For example, https://hudu.example.com/external_apps/ (replace hudu.example.com with your instance URL).
-
External URL.
- Use your current external URL for this setting.
-
Pre-Authentication.
- Set to Passthrough.
-
Name.
- Select Create and wait until completed.
- Repeat the same process for the authentication endpoint however for the Internal URL use yourhuduinstance.com/oauth/* (replace "yourhuduinsatance" with your instance URL).
Use the same external URL as before to connect the mobile app, the error should now no longer prompt upon sign-in. Please submit a support ticket if after following this guide you are still not able to utilize the mobile app when Hudu is hosted behind Azure App Proxy.