Azure App Services Authentication – OpenID Connect Configuration Error

0
ChatGPT Image Aug 1, 2025, 01_31_22 PM

Issue Summary

When configuring Authentication (Easy Auth) on an Azure App Service, we encountered the following error:

500 Unable to download OpenID Connect Configuration

This error prevented the authentication module from initializing correctly.


Root Cause

The error stemmed from a failed TLS handshake when the App Service attempted to reach the specified OpenID Connect issuer endpoint.

Investigation Steps:

  1. Accessed the App Service’s Kudu Console via the Advanced Tools blade in the Azure portal.
  2. Used curl -v to test connectivity to the issuer endpoint defined in the Authentication blade.

Findings:

  • The endpoint https://sts.windows.net returned a TLS handshake error.
  • The failure was likely caused by a firewall or network security device performing TLS inspection/decryption, which broke the certificate chain and prevented secure communication.
  • There are 2 primary endpoints for Microsoft authentication so you may be able to use https://login.microsoftonline.com to mitigate this issue.

Resolution

To restore authentication functionality:

  • Switched the issuer endpoint in the Authentication configuration to https://login.microsoftonline.com
  • Or allow the connection through the firewall which is doing TLS decryption and breaking the handshake.

Key Takeaways

  • The App Service Authentication container must be able to securely connect to the OpenID Connect issuer endpoint.
  • TLS inspection or SSL-breaking middleware (e.g., corporate firewalls, proxies) can disrupt secure connections and cause configuration errors.
  • Always verify endpoint accessibility using curl -v or similar tools in the Kudu Console when troubleshooting.

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *