Authentication error on static web app getting 403

[nikharthakur-psi]

Hello Team,

I have deployed the Storybook application on a static web app, using app registration for authentication. The static web app is configured with a custom domain and is under a virtual network (VNet). To enable public access, I have set up an application gateway. However, when attempting to access the public domain, it returns a 403 error and the URL changes to.

https://privateendpoint/.auth/login/aad?post_login_redirect_uri=/.auth/complete&staticWebAppsAuthNonce=OjfCG3Z5MVM8z6X8Mx%2bRh%2bhtZ4EmN4UuQNe4uDmrWEvXxhJAOuIb9UEHsJJwCQor26TjqNnb0nkQKcK%2f5Eli0kph5sNyqCzhgv7srL68z%2bETAaaiEivyxipChdXk9Gg0

my staticweb.config.json looks like :
{ "trailingSlash": "auto", "routes": [ { "route": "/login", "rewrite": "/.auth/login/aad" }, { "route": "/logout", "rewrite": "/.auth/logout" }, { "route": "/*", "allowedRoles": [ "authenticated" ], "headers": { "Cache-Control": "no-store" } } ], "auth": { "identityProviders": { "azureActiveDirectory": { "registration": { "openIdIssuer": "https://login.microsoftonline.com/{tenant_id}/v2.0", "clientIdSettingName": "AZURE_CLIENT_ID", "clientSecretSettingName": "AZURE_CLIENT_SECRET" } } } }, "responseOverrides": { "401": { "redirect": "/login", "statusCode": 302 } }, "globalHeaders": { "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": "POST, GET, OPTIONS" } }
I have added the AZURE_CLIENT_ID and AZURE_CLIENT_SECRET as environment variables in the static web app. In the app registration's authentication settings, I configured it as a single-page application and added the redirect URI: https://(public_url)/.auth/login/aad/callback.

In the Implicit grant and hybrid flows section, I selected both options: Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows). I also tried selecting them individually, but it did not work.

For API permissions, I chose Microsoft Graph: User.Read and granted admin consent.

Additionally, there is no redirection rule configured in the application gateway or in the code.