Azure Front Door having problem with forwarding Authentication Bearer token

Alex 475

Hello all,

I am experimenting a design as below and ran into some issues. Would be helpful if you can assist on the same.

Design:

I have an AWS S3 exposed via AWS Cloudfront with a custom domain already (say oldsite.com).
Now I am trying to configure Azure Frontdoor's already exposed domain to have a RuleSet to override the origin based on request path.
- Say, newsite.com is exposed in Azure frontdoor and all /* requests goes to Azure backends.
- Now, in the ruleset, for newsite.com/fd/images, I override with another origin group which is the AWS Cloudfront domain.

Outcome:

Seems to be working fine, because I get the expected response for both requests below,
- https://oldsite.com/images -> 401
- https://newsite.com/fd/images -> 401
This is correct, because the Cloudfront/S3 expect Authorization Bearer token in the request.

Problem:

When I pass the Authorization Bearer token in the request, I get below error

  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
  <TITLE>ERROR: The request could not be satisfied</TITLE>
  </HEAD><BODY>
  <H1>ERROR</H1>
  <H2>Failed to contact the origin.</H2>
  <HR noshade size="1px">
  </BODY></HTML>

Queries:

I am aware that this design of CDN to CDN is unique / even bad, but I am experimenting/researching something, so

What am I doing wrong here?
Why is it that Frontdoor was able to forward the request to the AWS Cloudfront origin when the request didn't have the auth bearer token, but fails to even contact the origin when the token is passed? (Btw, I added a custom response header to confirm that the response is from this ruleset and not the other default route).
- Does it mean, Azure FD doesn't forward the auth bearer token or something like that? If yes, how to force it to forward?
Any other pointers to check?

Thank you for your time and support.

Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-04T17:32:05.7966667+00:00
Hi Alex

Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Firstly, please check and verify CloudFront's access logs to see if the request from Front Door is reaching and what headers are present. This can confirm if the Authorization header is being sent or not.

You can also use a tool like curl and to check the frontdoor access logs with Transaction ID (x-reference ID) and verify that the authorization headers are being passed by Azure Frontdoor.

curl -H "Authorization: Bearer <TOKEN>" https://newsite.com/images

In case, if you could see that Front Door isn't forwarding the Authorization header to cloudfront, then you need to adjust the Rules Engine configuration to include the header.

For example: -

In Azure Front Door's Rules Engine, under the "Header settings", you can add a Request Header Action to preserve the Authorization header with - Action: Modify request header - Action Type: Preserve - Header Name: Authorization

Also, please check by increasing the origin timeout settings in Azure Front Door. Sometimes, if adding the Authorization header makes the request take longer and CloudFront would be doing more processing in which Front Door may be getting timed out and may fail to forward the request to origin.

Ensure no other WAF policies on AFD or CloudFront block/strip the header.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-http-headers-protocol#client-to-front-door

Refer: https://learn.microsoft.com/en-us/answers/questions/774629/frontdoor-authorization-header

Can you please update us if the action plan provided by was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Alex 475 Reputation points

2025-03-04T18:07:52.3733333+00:00
Thank you Ganesh for the details.

Cloudfront logs - will check on enabling this and verify.

But from curl command, in the request, I passed the header X-Azure-DebugInfo, which responded as below

When I didn't pass auth bearer header
x-azure-originstatuscode: 401

When I passed it
x-azure-originstatuscode: 502

Preserving the auth bearer header, I dont see that option.
Alex 475 Reputation points

2025-03-04T18:15:10.3266667+00:00
Thank you Ganesh for the details.

Cloudfront logs - will check after enabling it.

But using curl, I passed the header 'X-Azure-DebugInfo' and got the below responses from Cloudfront origin.

Without auth bearer header
x-azure-originstatuscode: 401 -> So Cloud front is responding back with 401 right? meaning expecting auth token.

With auth bearer header
x-azure-originstatuscode: 502

Regarding preserving the auth bearer header, I don't see that option.
Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-04T18:36:07.6133333+00:00
Hi Alex

Thanks for the reply!

Can you please inspect headers in CloudFront Logs and verify if the Authorization headers are present in requests from AFD. Also, please share the AFD origin settings on private messages.
Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-06T05:32:16.3+00:00
Hi Alex

Thanks for the reply!

Can you please inspect headers in CloudFront Logs and verify if the Authorization headers are present in requests from AFD. Also, please share the AFD origin settings on private messages.
Alex 475 Reputation points

2025-03-06T07:04:08.5666667+00:00
Hello Ganesh,

Apologies for the delay.

I found out the reason why it was failing. It wasn't the Auth bearer token not being forwarded, but the URL rewrite was missing in my ruleset.

Actually, the flow is

newsite.com/a/b/old/images/image1.png -> Azure FD TO oldsite.com/images/image1.png -> AWS CF.

AWS CF is configured only for the request path /images/*, so when FD was forwarding with /a/b/old/images/image1.png, AWS CF was responding with 502 because of no request mapping configured for that path.

So, in Azure FD ruleset, before route override to AWS CF, I did a URL rewrite as below

Source: /a/b/old/
Destination: /
Preserve unmatched path: Yes

Now its working.

Thanks for your time and support! Much appreciated.
Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-06T09:15:54.7033333+00:00

Hi Alex

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I had been posted your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.

1 answer

Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-06T09:14:37.14+00:00
@Alex

Greetings!

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.

Issue: Azure Front Door having problem with forwarding Authentication Bearer token

Resolution: I found out the reason why it was failing. It wasn't the Auth bearer token not being forwarded, but the URL rewrite was missing in my ruleset.

Actually, the flow is

newsite.com/a/b/old/images/image1.png -> Azure FD TO oldsite.com/images/image1.png -> AWS CF.

AWS CF is configured only for the request path /images/*, so when FD was forwarding with /a/b/old/images/image1.png, AWS CF was responding with 502 because of no request mapping configured for that path.

So, in Azure FD ruleset, before route override to AWS CF, I did a URL rewrite as below

Source: /a/b/old/ Destination: / Preserve unmatched path: Yes

I hope this has been helpful!

Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Please sign in to rate this answer.
Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-07T08:47:56.0333333+00:00

Hello Alex

Greetings!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I had been posted your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.

Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-07T12:17:15.36+00:00

Hello Alex

Greetings!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I had been posted your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Front Door having problem with forwarding Authentication Bearer token

1 answer

Your answer