We're having some trouble authorising our frontend React/Typescript application with our Azure Active Directory/ServiceStack backend. From what we can tell, the problem originates from the frontend and backend being on different URLs.

On the backend, we're integrating AAD with ServiceStack using this plugin https://github.com/jfoshee/ServiceStack.Authentication.Aad. The frontend is a React application written in Typescript, with the @servicestack/client client for interaction with the API.

When the API redirects back to the application, after authing through Azure Active Directory, it sets some cookies including the ss-id and ss-pid. The problem seems to be that these cookies are only set on the API url, and not the App. Therefore whenever any API request is sent from the App no cookies are included in the request and the request is met with a 401.

Our understanding of the flow is as follows:

Redirect user to exampleapi.com/auth/aad
from exampleapp.com

exampleapi.com/auth/aad sets some cookies,
then redirects to Azure Active Directory (login.microsoftonline.com)

User completes login with AAD, is redirected back to
exampleapi.com/auth/aad with some data in the URL.

exampleapi.com/auth/aad sets cookies ss-id, ss-pid etc.
then redirects user back to exampleapp.com

We've tried manually pausing the application, and injecting the cookies extracted from the headers during the authorization process into exampleapp.com. Even then, the API requests made by exampleapp.com don't seem to include these cookies, so receives 401. We are using ServiceStack's tools to generate the TypeScript DTOs for the frontend.

A simple example of the requests we're trying to make, but receiving 401 for:

const client: JsonServiceClient = new JsonServiceClient("exampleapi.com");

const userDetailsRequest: UserDetailsRequest = new UserDetailsRequest();

userDetailsRequest.userId = 123;

client.get(userDetailsRequest).then((userDetails) => {
    console.log(userDetails);
});

What are we missing? Why do requests from exampleapp.com not send with cookies? How do we correctly set the cookies on exampleapp.com so they can be sent in the first place?

Is this even possible, or does the combination of ServiceStack and Active Directory require the application and API to be on the same domain?

0 Answers