Use Case
I want all requests to my Azure PaaS Sitecore 10.3 + Identity 7.x site to use Azure Front Door. I do not want to configuring custom domains on my web apps and the web apps should be secured with private endpoints.
Problem
By default, Sitecore Identity uses the host, protocol, and port from the HTTP request when creating links. This means these values would come from the request Front Door makes to the Identity web app on the default Azure domain and login flow for CM + Identity would not work. In the past, this was solved by: adding custom domains to web apps or adding a custom plugin or overriding request headers or foregoing the use of a reverse proxy and allowing direct access to CM/Identity (gasp!)
Solution
Assuming Front Door has been configured with endpoints and routes for your CM and Identity and all other required configuration has been done (setting client secrets, AllowedCorsOrigins, etc.), you can update the PublicOrigin property to override the origin used for link generation:
- Go to sitecore/Sitecore.Plugin.IdentityServer/Config/identityServer.xml
- Enable the <PublicOrigin> node
- Set the value to your Front Door Identity domain
This will ensure the Identity custom domain from Front Door is used for link generation. This also allows the full login flow to complete with all requests going through Front Door and without introducing a security risk.
I hope you find this article helpful. Follow me on LinkedIn for future posts.